Modern Infrastructure

Can hyperconverged systems transform the enterprise?

ra2 studio - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Why it's time for locked-down desktops

Employees have mobile devices now, so they're not as tetchy about locked-down desktops at work. IT can finally reap the rewards of tightly-controlled desktops.

For years we've talked about the "locked-down desktop" as a major goal of desktop management -- whether you're using virtual or physical desktops. The locked-down desktop (also called the non-persistent desktop) means Windows desktops are fully secured and locked down. A user can't make any changes (apart from simple things like setting desktop wallpapers and changing colors and fonts). Anything else they change is wiped away the next time they log on.

The benefits of locked-down desktops are huge. They lessen support costs because users can't break things. They improve security because viruses and malware can't raise havoc with the users' admin rights. And, when all desktops are the same, software updating and patching becomes far simpler.

The biggest reason to lock down desktops is to restrict what we call user-installed apps, or UIAs. Quite simply, users can't install "their" apps onto "their" desktops if the desktop is locked down. But while we've recognized the value of the tightly controlled desktop for decades, it's been difficult to implement. The reason for this is simple: user rebellion. Users' desktops are personal to them (even  when it's corporate-owned hardware), and most users object to IT locking them out of "their" desktops.

Several software vendors have tried to solve the UIA problem through all sorts or wizardry, from virtualization to application bubbles and layering. Unfortunately, these products have gained no significant traction, and the "UIA problem" is still a problem.

Or is it?

I've worked with enterprise desktops for 20 years. What I've started to notice lately is that the UIA problem doesn't seem like much of a problem anymore. Five years ago it was all anyone could talk about. But today? Not so much.

In 2015, most of the non-corporate apps that users want access to are not traditional apps at all. They're websites and Web apps. So while in 1995 users would walk up to a non-persistent desktop and get mad because they couldn't install PointCast, in 2015, they say, "Hey, does that locked-down desktop have a browser? Great! I'm fine."

I've worked with enterprise desktops for 20 years. What I've started to notice lately is that the UIA problem doesn't seem like much of a problem anymore.

The second change is that every user has a smartphone now, and many have iPads. I can't tell you how much time I spent on user complaints about not having iTunes on locked-down desktops in 2005. It's not a problem now because users have access to their entire music libraries -- not to mention most of the other apps they care about -- in their pockets.

Think about your own collection of non-corporate apps. If you walked into a job in 2005 and they said, "Here's your desktop. It's locked down. You can change nothing," you might have quit right there on the spot! But in 2015, your reaction would be more like, "Does it have a browser? Can I have my iPhone on my desk while I'm working? Meh. It's fine then."

So if you've avoided locking down desktops for the past 20 years, maybe now is the time to revisit the idea. The benefits are huge and users' objections are mostly a thing of the past.

Article 7 of 9

Dig Deeper on Virtual desktop infrastructure and architecture

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What are the biggest deterrents to using lock-down desktops?
Trust. If you are running a company or even a department and you feel the need to lock down the devices people use every day, you're taking away their power. Without power, without control, without the ability to do their job, people get disenchanted and angry and they move on. Don't lock down the desktops, lock down the system and pay careful attention to logs, access and provisioning. These steps can be done from a different point in the pipeline without alienating your staff and partners.
From my own personal experience, working with open teams and distributed staff, a locked down desktop physically would be a bad move, but a locked-down security and application handling environment I'm less opposed to. At this stage, most of my work happens in the command line or via the browser. I don't really need to use many native applications on my macbookpro, so it's less of a burden than it might have been a few years ago. Additionally, carrying an iPhone does answer some of the things that I used to use a computer exclusively for, and yes, having that flexibility does make me more willing to say "sure, whatever policy you need, as long as I can do my work effectively, I'm cool with it."
This sounds great … right up until a knowledge worker needs to download an app to do his job, and can’t. I know, I know, you’re say McDonalds workers work in a locked down environment. RIGHT. They. Aren’t. Knowledge. Workers. If you want to treat employees like McDonalds workers, and get McDonalds quality work, by all means, lock down the desktop. Good luck with that.
The need is security and stability. Nobody is against security and stability. The problem is with the way most applications are designed. This results partly from legacy/history and partly from needed/evolving improvements in OS security and support for secure/safe applications. Applications can be designed for installation and use without administrator privilege and the ability to trash stability and security. The OS can be adapted/designed to allow this to work better. We can do it but there is the problem of time, money, and inertia. We are actually quite close.
Locking down desktops...bah, is this the NSA? Is this kindergarten? It's got to be one of the two if we're being that extreme. With the right methods to control information stores, IT should be well-equipped to keep information safe. If they have to resort to locking devices down, then something is missing in their strategy, methodology or training. Find a better way to distrust your employees - one that isn't so obvious and obtrusive.

Get More Modern Infrastructure

Access to all of our back issues View All