ra2 studio - Fotolia

Manage Learn to apply best practices and optimize your operations.

How to set up a virtual desktop access policy

For happy users and safe VDI, IT should set up an acceptable use policy that limits the number and type of devices users can connect to their virtual desktops with.

The phrase "work from anywhere using any device" makes for a good marketing slogan, but VDI administrators must balance user freedom with security and operational efficiency by developing strong virtual desktop access policies.

In theory, device type no longer matters in the enterprise. Whether users prefer a PC, tablet or smartphone, they should be able to access a virtual desktop from whichever device they think best helps them get the job done. In fact, VDI lends itself to a device-agnostic approach. Still, the only way IT can maintain security and operational efficiency, while still giving users the freedom to work on their virtual desktop from the device they like best, is to establish some acceptable use policies for end-user devices. IT must design these policies with security and operability in mind, but without being so restrictive that the policies get in the way of user productivity.

Client device policy considerations

Users establishing multiple VDI sessions from multiple devices consume multiple licenses.

One of the first considerations IT administrators should examine is the risk each device poses to their organization's security, particularly when it comes to mobile devices. Some organizations study individual device model numbers and operating system versions to take a more granular approach to risk assessment. For instance, some organizations allow most iOS devices except those running iOS 6.1, which is known to cause problems with Exchange Server.

Other organizations take a much more casual approach to device validation by putting limits on device configurations rather than OS versions. For example, some organizations allow any iOS device as long as it's not jailbroken.

Admins should also consider which device types the help desk staff feels comfortable supporting. Although cost estimates vary widely, every help desk call comes at a price. The per-call cost skyrockets as the average call duration increases. One way to keep help desk calls short and users productive is to ensure that the help desk staff never has to support an obscure device for which they have no training.

It is in an organization's best interest to maintain a list of supported devices. The list might vary in scope based on the organization's general attitude toward end-user devices. For example, if an organization wants to be as permissive as possible, then its virtual desktop access policy might allow users to connect from any device but give IT the right to prohibit a specific device or device type it deems problematic. Such a policy might only support devices running certain OSes, such as Windows, Android or iOS.

Limit the number of devices

Organizations should also consider a per-user device limit, which specifies the maximum number of devices each user can use to connect to a virtual desktop.

The first reason to set a limit on devices is licensing costs. Users establishing multiple VDI sessions from multiple devices consume multiple licenses, which affects operational costs. Similarly, if a user establishes multiple simultaneous VDI sessions, this, of course, increases server hardware consumption, which also has an associated cost.

Even if the hardware and software costs associated with multiple sessions aren't an issue, IP address consumption could be. Imagine a user connects a device to the network for five minutes and then terminates the connection. Even though the device is no longer in use, it is still consuming an IP address. The IP address remains allocated to the device until the corresponding Dynamic Host Configuration Protocol (DHCP) lease expires. Some DHCP leases last for weeks, so allowing users to work from an excessive number of devices could quickly deplete an organization's IP address pool even if employees aren't using devices simultaneously. IT admins should consider a device policy that limits users to a specific number of VDI endpoints they deem appropriate for their organization.

Clearly, there are a number of issues to consider when deciding which devices can access virtual desktops. Besides the various security and cost problems, form factor issues can arise. For instance, virtual desktops are usually configured to operate at a certain display resolution and, therefore, may not be appropriate for use on low resolution devices.

Next Steps

What your BYOD policy should look like

How desktop virtualization can improve mobile security

Establish an acceptable use policy for mobile devices

Dig Deeper on Virtual desktop management