Lock it down and throw away the key!

One of the cool capabilities of Unidesk is how we persist any and all changes made to a desktop, while simultaneously providing single image management of apps and the OS.  The value here is obvious when your desktop use case requires the ability for users to install their own applications, add-ins, drivers, etc.  That's clearly something that non-persistent VDI can't do. 

But just how important is that use case?  I often hear, especially from larger companies, comments like "I'll never give my end users administrative rights!  Their desktops should be locked down.  I want a non-persistent desktop!"  

I totally understand that perspective - giving users administrative rights can increase support costs and introduces substantial security risks, just to name two reasons.  Those desktops can be non-persistent, and yet "personal" by using a profile manager and/or folder redirection to retain access to their documents and their basic settings.  So IT has no need for persistence in a locked down world, right?  

Locked down desktops require persistence

I'm going to make the case that most IT organizations actually depend, deeply, on persistent desktops even in locked-down environments ... and that without it they will fail to broadly deploy VDI.  Sure - lock down the desktops to stop users from making unauthorized changes.  Persistence is still needed because IT depends on it.  It's about agility, flexibility, security and cost. 

There are just too many applications...

Let's start with agility and cost.  This hits almost every organization that attempts to do a broad deployment of VDI - the burden of packaging and delivering every application used.  Take just one of our customers - 2,200 desktops with 450 applications in use.  On average, that's less than 5 users per application!  Of course many applications are broadly used by the organization, but there are some required by only one or two people.  It is unrealistic for IT to take the time and resources to successfully virtualize all 450 applications before doing a VDI rollout.  It's also unrealistic to tell business units that they can't have the very applications that they depend on today.  The result is stalled VDI deployments and excessive cost in application management.

Instead, with the ability to have persistent desktops while having single images for applications, IT is able to blend the existing and new models of managing desktops.  Key line of business applications can be packaged and delivered in layers, while limited use applications can be directly installed on the desktops, just as they are today.  And as IT continues to package and deploy the desktops, it can work from its own time schedule to migrate desktops from locally installed applications to ones delivered in individual layers.

Can't keep up with all the patches and updates...

From a security perspective, as IT takes control over virtualizing countless applications, they become responsible for monitoring all those applications for the latest patches and updates.  Unless IT has sufficient staffing (and who does?), applications quickly fall out-of-date.  Critical security patches get made to the most popular or critical line of business applications, leaving the other applications at risk.  For many organizations, this problem is handled today by allowing individual desktops to receive patches and updates with an "auto-update" service - but without a persistent desktop, this fails.  Of course not all organizations believe in allowing end-point updates like this ... but there are countless organizations that depend on this functionality.

Information is changing too fast...

Can IT really afford to be a bottleneck in delivery of all information to a desktop?  For example, what about antivirus signatures?  For in-guest antivirus management, those signatures must be constantly updated on the desktop.  Or any other application that has information that is continually updated.  We have one customer that operates 911 call centers - and the 911 database is updated multiple times a week.  Those updates must be delivered immediately to the call centers, and having IT in the middle increases delay and adds substantial compliance risk.   These are great examples of blending machine persistence and application layers.  IT can still manage the application itself in a layer for single point of management and control, while retaining timely delivery of the line-of-business data.

Locked down, layers and persistent

So does persistence matter with locked-down desktops? Absolutely.  Maybe not for all use cases, but I believe that IT requires persistence to achieve broad adoption of VDI across the organization.  For without broad adoption, the true benefits of VDI will be squandered away, leaving IT struggling with old-school desktops.