Many times we see teams treat VDI as just another desktop in their environment. This is not a good approach as one incorrect setting can impact all VDI users (more importantly how they view you are doing your job). Implementing VDI requires specific attention, planning and continued maintenance.
You are probably thinking, “Who is this guy to tell me what best practices to follow?” I would be thinking the same thing so I’ll give you the type of battleground environment I used to manage. In one of my previous roles I worked for a large insurance company where we implemented VDI for a large portion of our users. I worked through the initial deployment and growing pains as our VDI environment grew from a few hundred users to tens of thousands.
I’m a big fan of the John Cusack movie High Fidelity (http://www.imdb.com/title/tt0146882/) and think almost everything is best explained in top 5 lists.
Image – Think of this as the base of the user experience for VDI. If this is not built properly then all of your users could experience issues in their VDI sessions. Treating your VDI image as if it is a desktop image is a big mistake.
In my previous role our Desktop Engineering team left the VPN client and related applications in the VDI image. When I asked “Why” the response was because we don’t want to manage different image builds and this is a desktop OS so why should we treat VDI differently from physical. They also left restore points active and built the image based on a physical PC. All of these things caused major experience issues for users and a year later we were working on fixing every persistent VM in the environment with scripts which we had to push out.
Take the time to plan out what goes into your image and how the OS and applications are configured. Do not treat the VDI image the same as a physical PC image.
Security – Planning for security in VDI can be tricky. Do you run an Antivirus (AV) product? If yes where do I install it? On the image or run it from the Hypervisor? What about whitelisting? How do I prevent my security products from over taxing my VDI environment? For persistent VM’s how do we manage application or OS updates?
I have seen AV updates and active scans take down an entire cluster and hubs of VMs. These impacted hundreds of users and of course spun off several hours long incident response meetings.
I have spoken with several administrators who stated they do not run AV or whitelisting in their VDI environment because they use non-persistent images and they feel this offers enough protection. I strongly disagree with this assumption. Yes when the VMs reboot they are back at the golden image state however what damage was done to the rest of the environment such as cryptoware working its way across the network.
Taking the time to plan and implement proper security at all levels for VDI is critical but also insuring there is little to no impact for users is key.
Policies – Why maintain a different set of policies for my VDI environment? It is just another desktop in the environment. Again just like images we really need to take the time and review what policies are applying and which ones make sense for VDI. This is also a good opportunity to cleanup any old policies still applying in the environment in general. For life after VDI is implemented, it is critical to plan and test any policy changes before going into production.
User Environment Management (UEM) solutions can greatly assist with managing policies not only in VDI but also in physical. With these solutions administrators can move when policies apply from session startup to application startup where it makes sense. Also with context set to your policies you have greater control of where and when policies apply. For example you may want any local drives visible to physical device users however for VDI users you may want to hide any local drives.
Profiles – If you have moved to VDI you have already felt the pain of moving users over from physical however you may not be past the point of managing user settings. If your users are on Windows 7 now, are you planning to migrate to Windows 10? Are these users tied to one VDI session or do they have multiple sessions as well as a corporate owned asset?
Roaming profiles are a nightmare in any environment but throw them in during a VDI migration and you now have a recipe for disaster. Giving your users a consistent experience with the settings they have maintained is critical in VDI adoption. Users are not going to blame their profile for issues, but they will blame VDI in general and this can lead to slow adoption as more users fight the transition.
UEM solutions offer more control and over the user profile and most provide easy ways to manage user profile bloat as well as rolling back settings in addition to many other benefits. If you are planning to go to VDI you need to think about your users’ settings. Implementing a UEM solution will help with a smooth user setting transition.
If you have already moved to VDI and not implemented a UEM solution, you will want to review the current state of User management. UEM solutions can help address several issues in VDI environments.
NUMBER 5 WITH A BULLET IS… (IF YOU SAW THE MOVIE, YOU’D GET THE REFERENCE):
User Data – Planning where users store their data is critical and guiding them to that path is key. At my last company we used persistent VMs with the C drive visible for users and they could write to it. Very bad idea as users with large data would save it locally as they did not have enough space on their home drives. This led to several disasters where users lost data when a VM went bad and was unrecoverable. Yes, our policy was no local data and users were told but if a path is open to them, users will return to old habits like saving data locally. Plan ahead for user data and storage. Make sure they have plenty of space for their files and growth. Policies and tools for archiving can help in this area. Also hiding the local drives and denying user access is key as well as implementing folder redirection for commonly used save locations. In a complex environment where users go back and forth between physical and VDI this will be key as well as syncing the user data from local devices which could go offline.
Mike Lopez is a Senior Solutions Architect at McGlaun Consulting.