On February 9, 2016, VMware announced a flurry of new EUC-based products to go with the already-announced AppVolumes 3.0. Note I say “announced” and not “generally available.” This annoys me. If something is announced, it should be available for download; it should not be made available at a yet-to-be-announced date several weeks down the line. But that is an aside.
The two main EUC products announced are VMware Workspace ONE and Horizon 7.0. The latter is the next generation of VMware’s venerable Virtual Desktop Infrastructure product (VDI), and the former is a new suite that comprises Horizon View, AirWatch EMM Content Locker, and Workspace.
This article will concentrate on Horizon View 7.0. There are several new features with the release, but the main ones are:
- Instant Clone Technology: This feature has come from the vmFork fling and significantly reduces the time it takes to provision a new desktop to the end user. This also brings benefits from an infrastructure perspective: it reduces infrastructure requirements. Due to the speed of provisioning, there is no need to keep several VDI guests sitting there just waiting for a login. Another facet of this technology is that the guests are truly transient. Every time a user logs out, the machine is torn down and destroyed. Now, this obviously plays very nicely in kiosk environments, but it does mean that in those environments for which a certain permanence is required, more thought is needed. However, VMware has you covered there, too, with App Volumes applications or AppStacks, which can be added to the instance clone, allowing access to those personal or department-based applications. With the use of UEM (User Environment Manager), user personalization information can be captured and stored for the next logon. By using this technology to provide your desktops, you can also increase your threat remediation, as the active section of a desktop is destroyed every logoff. This kills any breaches, Trojans, etc. Remember, the App Volume and the user disks are read-only and cannot actually run executables, so the issue dies with the logoff. See VMware Instant Clone Technology for Just-In-Time Desktop Delivery in Horizon 7 Enterprise Edition for more detail on Instant Clone.
- Blast Extreme: This is not exactly a new protocol, as Blast has been available with the HTML5 Blast gateway product. This filled a niche, but it has some severe limitations, mainly bandwidth inefficiencies, the need for a custom port to be opened (8443), and a poor feature set compared with PCoIP. This limited scope for deployment. However, this has all changed with this release. It has a new name, “Blast Extreme,” and is fully feature-compatible with PCoIP; so USB support, unified communications, and local printing are now all available. It has been optimized, so it is now much more bandwidth efficient. In fact, is has changed so much, it can be and is considered a new protocol. Further, is it not just limited to web deployments now, but has been integrated into the traditional Horizon client.The original Blast protocol was written to provide a solution that could work well from the cloud as well as on-premises. Though PCoIP has done well in both scenarios, they also wanted something that would work well with mobile devices, be more battery friendly, and consume less bandwidth than PCoIP for video. It is as simple as selecting a checkbox to provide access to the new protocol, and if the end client does not understand it, the session will fail over to either PCoIP or RDP for access.
- Smart Policies with Streamlined Access: This feature comprises two elements—True SSO and policy managed client features. The first feature allows for seamless authentication to desktop devices from the Horizon client. This will speed up login times and remove some of the confusion that can happen with new users and a VDI environment over the logon process. The second feature is more important. Policy managed client features allow a View administrator to control the levels of access depending on where the user is logging in from. Access to this feature is through user environment manager, where an extra configuration tab has been added. Activating this feature allows you to define a policy that creates two levels of access, depending on where the access is taking place. For example, if you are accessing your session from an internal location, you will have full access to your session: local devices will map, printing is enabled, etc. However, if you are accessing from a location external to your corporate location, any local devices will be prevented from mapping, and printing may be disallowed.
All in all, this is a nice little upgrade. To me, the most important feature is Smart Policies, although it is based on a pool and not a user and it is limited to only two security levels.
The problem is that most companies have more than two security levels. I may be at a partner site that is not considered a corporate location, but I can print there, or I may be at home and my local devices are authorized from that location, as it is considered safe. That said, it is a good start, and it begins to remove a design limitation by which you would have to have different pools for different access levels.
The most interesting feature to me is the introduction of Blast Extreme. This is a complete new remoting protocol, and it is aimed directly at PCoIP’s site. VMware has been working on this protocol for almost four years. For it to put that much effort into development, I can only assume that it is the beginning of the end for its partnership with Teradici. The benefits that this protocol brings to VMware are that it is in complete control of its development roadmap. I firmly believe that by version 7.1 of Horizon View, Blast Extreme will no longer have feature parity with PCoIP, but rather will exceed it.