Client hypervisors initially caught the attention of IT pros who needed a way to run virtual desktops offline and old versions of Windows on Windows 7 machines. But this desktop virtualization technology also serves as a simple way to secure employee desktops.
Pacer Hibler, a network engineer at New Hanover Regional Medical Center in North Carolina, uses Citrix XenDesktop and initially installed Citrix's bare-metal client hypervisor, XenClient, to run both Windows XP and Windows 7 on one machine. But the additional layer of desktop security it provides proved invaluable.
"Most users like to use [corporate-issue] laptops as their personal machines, so we find nonbusiness applications loaded along with business applications," Hibler said. "As systems administrators, we cannot guarantee that our systems are protected when we cannot control the applications that get installed."
With XenClient, Hibler gives users a personal virtual machine (VM) along with a business VM on the same laptop, and he protects the business desktop by setting policies around what can be installed on the operating systems.
Some administrators use client hypervisors to run secure business VMs on employee-owned machines. "It allows a company to pursue a 'bring your own computer' paradigm and secure the data, while not needing to manage the device itself," said an IT desktop engineer at a Fortune 100 communications company that uses MokaFive's client hypervisor.
Another security feature in client hypervisors is the ability to revoke privileges or kill company-owned VMs when employees leave the company or if their machines are lost or stolen.
For example, if an end user loses a laptop with XenClient installed, administrators can use the Citrix Synchronizer to kill the lost VM and spin up a new VM on another laptop with all of the employee's data intact. "On a regular laptop, the data would be lost," Hibler said.
The Planned Parenthood League of Massachusetts (PPL) uses Virtual Computer's NxTop for similar reasons. Admins use the client hypervisor to encrypt data and remotely manage employee laptops across several sites, said Aaron Caine, CIO of the PPL.
The centralized desktop management features that client hypervisors provide also make it easier to roll out new OS images when it's time to replace compromised machines or upgrade to a new OS version. And security patch delivery can be done as part of image updates.
Choosing a client hypervisor
There are a handful of client hypervisors on the market from companies including Citrix, MokaFive, Virtual Bridges, Virtual Computer and VMware, and each has its own set of requirements and restrictions to consider.
For example, VMware View Client with Local Mode is a Type 2 hypervisor that runs atop of Windows, so its stability rides on the OS. Type 1 client hypervisors such as Virtual Computer's NxTop and Citrix's XenClient run on bare metal, providing lower latency and better stability.
The hardware costs and compatibility for each product differ as well. For instance, compared with a bare-metal client hypervisor, a Type 2 hypervisor requires more memory and storage space to support the native OS, the hypervisor and the guest OS.
The PPL's Caine said he considered both types -- VMware View's Local Mode and Citrix XenDesktop with XenClient -- and ultimately chose a Type 1 hypervisor. But he went with Virtual Computer NxTop, mainly because the big-name vendor offerings were too expensive in terms of both software and hardware. Specifically, XenClient requires the Intel vPro chip, which would have meant buying all new laptops instead of extending the life of his existing machines.
"The vPro requirement was a big issue for us, because the cost for laptops with Intel vPro is significantly more," Caine said.
Since Westford, Mass.-based Virtual Computer was one of the first companies to come out with a client hypervisor, it supports more platforms than Citrix XenClient. The company released NxTop Version 3 Service Pack 1 last month with more centralized management controls. Citrix plans to expand the XenClient hardware-compatibility list to support non-vPro chips and AMD graphics chips by midyear.
While Virtual Computer's NxTop runs on more platforms than the competition, it is not part of a full virtual desktop infrastructure (VDI) suite in the same way as XenClient (with XenDesktop) and Local Mode (with VMware View). But it connects to VDI environments through Quest's vWorkspace desktop virtualization and through Citrix Reciever.
IT pros should also consider how the client hypervisor plugs into existing back-end management, if at all, since some desktop virtualization vendors don't work with widely used management systems. Virtual Computer NxTop, for example, plugs into Microsoft Systems Center, while MokaFive and Virtual Bridges Verde LEAF rely solely on proprietary management consoles.
There are more points to consider regarding integration, support and capabilities, all of which IT professionals should discuss with vendors before signing on the dotted line.
Dig Deeper on Virtual desktop tools and technology
Client virtualization, part 1: Is it the past or the future? (With a retrospective on XenClient)
Citrix should build XenClient on Client Hyper-V, especially for marketing to BYOC use cases.
Citrix XenClient 4.5 improves remote user experience, adds hardware
BriForum 2012 London session video: Security in Client Hypervisors