User Environment Management (UEM) - Rob Beekmans · 7.4 AppSense ... pendent overview of the User Environment Management (UEM) solutions and curious about the different features-

User Environment Management

(UEM)

Smackdown

Author(s): Rob Beekmans

Version: 16.02

Date: April 2016


Smackdown

Version 16.02 april 2016 Page i

© 2016 PQR, all rights reserved.

All rights reserved. Specifications are subject to change without notice. PQR, the PQR logo and its tagline Eenvoud in ICT are trademarks or registered trademarks of PQR in the Netherlands and/or other countries. All other brands or products mentioned in this document are trademarks or registered trademarks of their respective holders and should be treated as such.


Smackdown

Version 16.02 april 2016 Page ii

CONTENT

1. Introduction .............................................................................................................................. 1

1.1 Objectives ................................................................................................................................. 1

1.2 Intended Audience .................................................................................................................... 1

1.3 Vendor Involvement ................................................................................................................. 1

1.4 Community involvement .......................................................................................................... 1

1.5 Document creation process ...................................................................................................... 1

1.6 Suggestions and improvements ................................................................................................ 2

1.7 Sponsoring ................................................................................................................................ 2

1.8 Contact ...................................................................................................................................... 2

2. About......................................................................................................................................... 4

2.1 About PQR ................................................................................................................................. 4

2.2 Acknowledgments ..................................................................................................................... 4

2.3 Quotes from CTOs and Founders of UEM Product Companies ................................................ 8

3. Definitions and Terms used in this paper ................................................................................. 9

4. What is User Environment Management (and why should you care?) ..................................11

4.1 UEM: Defined ..........................................................................................................................11

4.2 UEM and the “Layer Cake” analogy ........................................................................................12

4.3 The Pre-History of UEM (and the case for better solutions) ..................................................13

4.4 Why UEM? ..............................................................................................................................16

5. In-Box UEM from Microsoft ....................................................................................................17

5.1 Microsoft’s own in-box UEM solution: Group Policy and Group Policy Preferences .............17

5.2 A quick note about Microsoft’s AGPM ...................................................................................22

5.3 Microsoft’s “now included” Roaming Profile Replacement / Successor: UE-V ......................22

6. Before deciding on a 3rd party UEM Solution .........................................................................25

6.1 Frequently Asked Questions (FAQ) about 3RD party UEM tools .............................................25

6.2 What else should I look for in a UEM tool? ............................................................................28

6.3 The future of UEM and the UEM smackdown ........................................................................30

7. Solution Overview ...................................................................................................................31

7.1 Introduction ............................................................................................................................31

7.2 Vendor matrix, who has focus on what!? ...............................................................................32

7.3 AppiXoft ..................................................................................................................................33

7.4 AppSense ................................................................................................................................37

7.5 Citrix ........................................................................................................................................42

7.6 Dell Wyse vWorkspace ............................................................................................................46

7.7 FSLogix: ...................................................................................................................................48

7.8 Liquidware Labs ......................................................................................................................51


Smackdown

Version 16.02 april 2016 Page iii

7.9 Norskale .................................................................................................................................56

7.10 PolicyPak Software ..................................................................................................................60

7.11 RES ..........................................................................................................................................66

7.12 Tricerat ....................................................................................................................................71

7.13 Unidesk ...................................................................................................................................74

7.14 VMware User Environment Manager .....................................................................................79

7.15 VMware View Persona Management .....................................................................................84

8. UEM features Comparison ......................................................................................................86

8.1 Introduction ............................................................................................................................86

8.2 Roadmap and Future additions ..............................................................................................88

8.3 Feature Compare Matrix .........................................................................................................89

8.4 Generic features and functionality .........................................................................................90

8.5 User Profile Management .....................................................................................................102

8.6 User Personalization, Application and Desktop Management .............................................107

8.7 Application Access Control, Security Management ..............................................................115

8.8 Resource Management .........................................................................................................123

8.9 License Management ............................................................................................................125

8.10 Monitoring, Auditing and Reporting .....................................................................................126

9. Conclusion .............................................................................................................................131

10. Change Log ............................................................................................................................133


Smackdown

Version 16.02 8 april 2016 Page 1

1. INTRODUCTION

Are you overwhelmed by all the different User Environment Management solutions available?

Are you looking for insights into User Environment Management? Are you looking for an inde-

pendent overview of the User Environment Management (UEM) solutions and curious about

the different features- and functions each UEM vendor is offering? If so, this whitepaper is a

MUST read!

In the current market, there is an increasing demand for unbiased information about User En-

vironment Management solutions. This white paper focuses on solutions enabling businesses

to manage the User Environment. An overview of features has been created to enable a better

understanding and comparison of capabilities.

1.1 OBJECTIVES

The overall goal of this whitepaper is to share information about:

What is User Environment Management?

User Environment Management functionality and solutions overview;

Describe the different UEM vendors and their solutions;

Compare the functionality and features of various UEM solutions;

1.2 INTENDED AUDIENCE

This document is intended for IT Managers, Architects, Analysts, System Administrators and IT-

Professionals in general who are responsible for and/or interested in designing, implementing

and maintaining User Environment Management solutions.

1.3 VENDOR INVOLVEMENT

All major vendors whose products are analyzed and described in the feature comparison have

been approached in advance to create awareness of this whitepaper and discuss the different

features and functionality. The product descriptions are written by the vendors, they had four

pages of freedom to show their product to you.

1.4 COMMUNITY INVOLVEMENT

Members of the UEM community were approached to help with the update of this document.

In the next chapter we’ll introduce the member of the community.

1.5 DOCUMENT CREATION PROCESS

The document has been created with the help of the community and co-workers who did the

initial review of solutions. The reviews were then reviewed by a peer reviewer before we ac-

cepted them in the matrix. The vendors got the opportunity to review the matrix before publi-

cation and provide input about the review. If the input was considered valid the document was

updated.


Smackdown


1.6 SUGGESTIONS AND IMPROVEMENTS

We’ve done our best to be truthful, clear, complete and accurate in investigating and writing

down the different solutions. Our goal is to write an unbiased objective document where pos-

sible, which is valuable for the readers. If you have any comments, corrections or suggestions

for improvements of this document, we want to hear from you. We appreciate your feedback.

Please send e-mail Rob Beekmans ([email protected]) include the product name and version number

and the title of the document in your message.

1.7 SPONSORING

PQR does not receive any sponsoring from any vendor for this document. This document is

created with the help of many community friends and the vendors. We find it of the utmost

importance to be independent and stay independent in our whitepapers. The only sponsoring

we get from vendors is their valuable review of the document for which we are very grateful.

1.8 CONTACT

PQR; Tel: +31 (0)30 6629729

E-mail: [email protected]; www.PQR.com;

Twitter: http://www.twitter.com/pqrnl

mailto:[email protected]


http://www.pqr.com/

http://www.twitter.com/pqrnl


Smackdown


THIS DOCUMENT IS PROVIDED "AS IS"

WITHOUT WARRANTY OF ANY KIND

FOR REFERENCE PURPOSES ONLY

COPYRIGHT PQR

PUBLISHING IN PART OR WHOLE IS PROHIBITED WITHOUT WRITTEN APPROVAL


Smackdown


2. ABOUT

2.1 ABOUT PQR

PQR, trusted advisor and integrator for modern datacenter, workspace and cloud solutions, focuses on availability of data, applications and work spaces in a secure and manageable way. Along with a suite of IT services PQR guarantees a stable environment, to ensure ICT is always within your reach. PQR customers are active in all sectors of society and can be classified as medium to large or-ganizations where ICT is essential to the business. PQR has profound knowledge of the educa-tion, government, profit and healthcare markets. In addition to many traceable references PQR absorbs a wide range of knowledge areas, ac-cording to high status levels and preferable certifications. PQR is Cisco Premier Partner, Citrix Platinum Solution Advisor, Hitachi Data Systems Platinum Partner, HP Platinum Partner, Mi-crosoft Gold Partner, NetApp Star Partner, RES Platinum Partner and VMware Premier Partner. PQR, founded in 1990, is established in De Meern and counts over 100 employees.

2.2 ACKNOWLEDGMENTS

LEADER

Rob Beekmans is a 26-year IT veteran that worked in many fields in IT be-

fore he joined PQR 7 year ago. Rob is a senior consultant with a strong fo-

cus on Application and desktop delivery, User Environment Management,

Mobility and monitoring. Rob is a VMware vExpert and is a member of the

VMware vExpert-EUC group. Rob shares his vision and insights on his per-

sonal blog, on webinars or on stage. Follow Rob on Twitter or visit his blog.

If you want to contact Rob you can do so at [email protected]

The document previously was managed by my former PQR colleague Ruben Spruijt. After Ru-

ben left a new “leader” was needed to make sure the document was updated. I took up the

task to update the document and gathered a team of experts to help me. I thank Ruben for his

hard work over the past years and wish him the best at his new job.

Founder

Ruben Spruijt is Chief Technology Officer at Atlantis Computing, responsible for

driving vision, technology evangelism and thought leadership with Atlantis cus-

tomers, partners and communities. Mr. Spruijt is a well-regarded author,

speaker, market analyst, technologist, and all-around geek. An established indus-

try leader and luminary, he is one of only a few individuals in the world to hold

three prestigious virtualization awards: Microsoft Most Valuable Professional

(MVP), Citrix Technology Professional (CTP) and VMware vExpert.

mailto:https://twitter.com/robbeekmans

http://robbeekmans.net/



Smackdown


Mr. Spruijt has presented more than 150 sessions at national and international events such as

BriForum, Citrix iForum Japan, Citrix Synergy, Gartner Catalyst, Microsoft Ignite, Microsoft

TechEd, NVIDIA GTC, and VMworld. Mr. Spruijt founded several independent industry analysis

bodies including Project Virtual Reality Check (VRC), Team Remote Graphics Experts

(TeamRGE), AppVirtGURU written and co-authoring multiple disruptive ‘Smackdown’ research

whitepapers. Mr. Spruijt is based in the Netherlands where he lives with his wife and three

kids.

Major contributors

Special thanks go out to Jeremy who helped me with the initial review and edit of the first 50

pages of the document. He worked through the Dutch-English sentences and turned them to

English. Without his hours of work on this the readability of the document would be worse.

Further on he worked on the Microsoft piece of the document, which is a separate chapter for

it’s the base everyone starts off from.

Jeremy Moskowitz, Group Policy MVP: Jeremy is a 13-year recipient

of the Microsoft MVP award with a concentration in Group Policy. He

runs GPanswers.com for Group Policy training and consulting. He also

leads the solutions design at PolicyPak Software. Jeremy contributed

the Microsoft Group Policy and Microsoft UE-V sections as well as the

PolicyPak section. Follow Jeremy on twitter @jeremymoskowitz or at

www.GPanswers.com or www.PolicyPak.com

Another big thanks goes out to my co-workers Hayscen de Lannoy

who worked with me on the last edits of those 50 pages and the gen-

eral review before this document was able to go live.

Hayscen de Lannoy: Hayscen had his start in the IT field 18 years ago

doing application migrations and desktop deployments. He is now a

senior workspace consultant at PQR with a passion for Server Based

Computing, VDI, User Environment Management, automation and de-

ployment. Follow Hayscen on twitter at @hdelannoy.

Community effort

The community is a very important part of my professional life, I can’t imagine not being in

contact with many of the guys listed here. When I took up the job to update the paper I knew

the community had to be included. So here are the community hero’s that made this version

of the smackdown possible. Of course this little piece of text does not reflect the time they in-

vested, thanks guys for all the effort. It’s more than appreciated.

http://www.twitter.com/jeremymoskowitz

http://www.gpanswers.com/

http://www.policypak.com/

http://twitter.com/hdelannoy


Smackdown


Igor van der Burgh

@igor_vd_Burgh

Ryan Revord

@rsrevord

Sven Huisman

@svenh

Patrick van der Born

@pvdnBorn

Marius Sandbu

@msandbu

Julien Sybille

@jsybille

Rob Aarts

@rob_aarts

Erik Bakker

@bakker_erik

Mathias Kowalkowski

@stflr

Sean Massey

@seanpmassey

David Seaman

@vyvere

Henk Hoogendoorn

@henkhoogendoorn

http://twitter.com/igor_vd_Burgh

http://twitter.com/rsrevord

http://twitter.com/svenh

http://twitter.com/pvdnBorn

http://twitter.com/msandbu

http://twitter.com/jsybille

http://twitter.com/rob_aarts

http://twitter.com/bakker_erik

http://twitter.com/stflr

http://twitter.com/seanpmassey

http://twitter.com/vyvere

http://twitter.com/henkhoogendoorn


Smackdown


Neo Crazy Dad

@neocrazydady

Patrick Rouse

@patrickRatDELL

Geoffery van der

Molen

@GeoffreyvdMolen

Hayscen de Lannoy

@hdlannoy

Richard Kuipers

@rkuiper

http://twitter.com/neocrazydady

http://twitter.com/patrickRatDell

http://twitter.com/GeoffreyvdMolen

http://twitter.com/hdlannoy

http://twitter.com/rkuiper


Smackdown


2.3 QUOTES FROM CTOS AND FOUNDERS OF UEM PRODUCT COMPANIES

"Whether you want to get the latest insights on desktop virtualization or you are new to the

space and need to quickly understand it, the UEM Smackdown is the essential guide to read. It

provides detailed analysis of the different offerings in the market today and gives an overview

of the strategic questions one should evaluate. This guide will be an excellent companion on

your Application and Desktop Delivery journey. Kudos to PQR for their continuing effort."

Bob Janssen, CTO and Founder, RES

"As the UEM space continues to grow and mature, the capabilities of the solutions and prod-

ucts in this space are evolving - PQR's UEM Smackdown educates the world on the depth and

complexity of delivering true User Environment Management, and highlights the many differ-

ent areas of functionality required for a comprehensive solution that can scale for organiza-

tions of all sizes. It is important for the technical community to have an independent, detailed

review of UEM solutions and at AppSense, we're delighted to see PQR fill that void."

Jon Rolls, VP Product Management, Appsense

“In their efforts of balancing productivity and manageability, businesses will eventually see the

value of User Environment Management. PQR’s UEM Smackdown is the invaluable guide for

those who are looking for ways to make this balancing act feasible and affordable.”

Richard Kuijpers, Managing Director, Appixoft

“The UEM Smackdown is a good resource for starting your evaluation of UEM products. Desk-

top transformation involves many steps and User Management is an important one to get

right. Choosing the best solution for your organization based on architecture, features, and

value is essential and the UEM Smackdown of PQR brings this information together in one doc-

ument.”

Jason Mattox, CTO, Liquidware Labs

“UEM can mean different things to different people. Ultimately it’s about adding more horse-

power to managing the desktop and the user’s experience, than what is normally possible out

of the box. The information in the UEM smackdown paper offers IT admins solutions from dif-

ferent vendors to augment or supplant what’s in the box. The information in this guide could

be the key you need to a true ‘next generation’ desktop experience as we head into the era of

Windows 10 everywhere.”

Jeremy Moskowitz, Founder, PolicyPak Software

"We believe that workspace performance is key for all organizations, large and small, because

it directly impacts the success of the most important aspects of an IT environment: user expe-

rience, simplicity, and budget. Our innovative algorithms optimize the way applications run,

allowing up to 70% more end-users in virtual environments, while our UEM engine allows you

to deliver fully managed workspaces with less than 10 second login times. All of this can be

easily achieved by configuring only a few settings in the management console.”

Pierre Marmignon, Founder and CEO of Norskale


Smackdown


3. DEFINITIONS AND TERMS USED IN THIS PAPER

This table below gives an overview of various terms that we will be using in this paper. You can

refer back to this section as needed throughout the paper.

Term Definition

User Profile The unique location within a Windows desktop to which a user has

write access. Application will write user preferences to this location

and the user can store data such as documents and pictures in this

location as well. The profile is created when the user first logs onto

a Windows desktop and persists on that desktop unless an admin-

istrator or policy deletes it

Personalization (or Persona) A user’s customizations to their environment – e.g. wallpaper,

shortcut placement, pinned items etc. Also includes application

preferences written to the user profile. Used as a term to describe

what is contained in a user profile

User Environment Management A controlled and structured approach to managing components of

the environment related to the user. This includes user profiles,

preference, policy management, monitoring, auditing, application

control and application deployment. Can be achieved with the

Windows in-box tools, or can be enhanced using scripting or 3rd

party solutions to achieve a particular desired result

User State Virtualization Abstraction of user data and profile from the operating system –

Roaming Profiles, Folder Redirection and Offline Files. User State is

still tied to the version of the operating system and provides no

separation of individual application preferences

Originator: Microsoft

User Virtualization When used alongside OS Virtualization and Application Virtualiza-

tion; is a term that makes it easy to describe a layered approach to

desktop management and building the user environment on de-

mand. Usage extends to user profiles, user environment manage-

ment, application control and user installed applications.

Originator: AppSense

Workspace Management Used to describe the process of abstracting user data and prefer-

ences from the operating system and along with application deliv-

ery, shortcut and file type association management, building the

user environment dependent on the users’ context (identity, loca-

tion, device etc.)

Originator: RES


Smackdown


Term Definition

User Profile Management Move beyond roaming profiles to actively manage the user profile

– may or may not provide segmentation of the profile

Layered User Personalization See User Virtualization

Decoupling Personalization Separating the user profile from the operating system. See User

Virtualization

Profile Segmentation Segment the profile into smaller chunks of related profile settings –

e.g. per-application settings. Those application settings may now

be portable across operating systems

User Virtualization Management See User Virtualization

Application and Workspace Per-

sonalization

See Workspace Management

User Workspace Virtualization See User Virtualization

Persistent Personalization Persist user profile data across sessions

Persona Management See User Profile Management

Profile Virtualization Implementing file system redirection to move the profile or parts

of the profile from its real location on disk to another location. Not

to be confused with Folder Redirection built into Windows

Profile Streaming Rather than load the entire profile at logon, stream only the data

to the client as it is requested. This improves logon times. Used in

conjunction with profile virtualization

Hybrid Profile Management Managing the user profile as a combination of a local or mandatory

profile with user preferences or personalization added at logon or

application start

Profile Management See User Profile Management

Profile Acceleration See Profile Streaming

User Installed Applications The ability for a user to install an application and have that applica-

tion then persist across different Windows desktops

User Rights Management or Priv-

ilege Management

Dynamic elevation of specific user rights via a defined policy to

make administrative access more granular. Individual applications,

Control Panel applets or Windows tasks can be delegated without

adding the user to the local Administrators group

Dynamic Privileges See User Rights Management


Smackdown


4. WHAT IS USER ENVIRONMENT MANAGEMENT (AND

WHY SHOULD YOU CARE?)

4.1 UEM: DEFINED

User Environment Management, or UEM for short, is an easy way to describe any addition to

the in-the-box Windows experience to make the desktop more manageable.

That being said, at one time, the (perhaps original) definition of UEM was somewhat more nar-

row; UEM once meant to roam settings from machine to machine without the use of roaming

profiles.

But as end-user computing needs got more sophisticated, use cases evolved, VDI, BYOD, and

other desktop-enablement technologies emerged from infancy to adulthood, so transformed

the original definition of UEM as well.

UEM goes beyond the traditional “Configuration Management” (CM) and, indeed, in many

cases is a complement and not a competition to Configuration Management utilities.

Traditional CM solutions are products like Altiris Endpoint Management, LANDESK, IBM BigFix,

Microsoft System Center Configuration Manager (SCCM), Novell ZenWorks and others.

To help understand the difference between UEM and CM, here are some core feature exam-

ples that describe typical non-overlapping features between the two concepts.

CM product features sample:

Deploy operating systems and desktop software

Perform patch management

Perform hardware and software inventory

Configure antivirus

UEM product features sample:

Roam end-user settings between machines

Configure desktop look and feel

Map drives, deploy printers, create shortcuts

Show / hide / layer applications on a desktop

Manage and configure Internet Explorer

As such, the primary focus of the Client Management solutions is the client device and not pri-

marily the end-user’s workspace.

UEM products, on the other hand are about the user’s experience and interaction to their

desktop, and not about the client device.


Smackdown


Therefore our definition of User Environment Management (UEM) for 2016 is:

“User Environment Management (UEM) is any software solution which facilitates the man-

agement of the end-user user computing environment. The software’s primary focus would

be about the end-user experience and not on the end user's device”.

That being said, in the same way no two products are the same, neither will you find the exact

same feature set in a CM product, nor will you find the same feature set in a UEM product.

One UEM product might roam settings between machines, and another might not have that

feature at all, and instead, do an amazing job at configuring the desktop look and feel. Another

UEM product might not do either of those functions, but instead perform application hiding.

Said another way, the spectrum of UEM products is quite diverse. Because of that an IT depart-

ment might start by using the in-the-box UEM solution (Group Policy) augment or replace it

with one or more 3rd party UEM products to make a whole solution which solves the particular

business and end-user cases needed.

Some UEM products try to do “everything.” Some UEM products try to do just one thing. Other

UEM products do a handful of things.

4.2 UEM AND THE “LAYER CAKE” ANALOGY

A user with a fresh install of Windows 10 and nothing else equals a user who cannot do any

real work. To perform real work, a user needs:

Applications.

Drive maps.

Shortcuts.

Printers.

Security, desktop and application settings.

Personalized look and feel settings.

Access to documents.

…..and a lot more.

As such, just providing a desktop to a user gives him very little to do. Therefore, the term

“Layer Cake” has emerged as model to express what must happen after the desktop is de-

ployed.

These layers can be layered on directly or in virtualized pieces.

The ideal situation is to break up (or isolate) the Operating System (OS), the Applications

(Apps) and the User Components. By isolating each piece, you can interchange any of the

pieces, and still have a functioning desktop system “cake.”


Smackdown


In Figure X, we can see the basis of the layer cake:

OS is first (bottom)

Applications are second (middle)

User settings are last (top)

To go deeper into the layer model:

OS: OS delivery can occur in a myriad of ways such as golden / master image, stream-

ing image, layered, VDI, RDS, etc.

Applications: Applications can be present by being “physically installed” (using MSI),

placed there with Application Virtualization, and/or layered and/or hidden.

User: User settings (and restrictions) are last, which include personalization, security

policies, look and feel settings, and so on.

4.3 THE PRE-HISTORY OF UEM (AND THE CASE FOR BETTER SOLUTIONS)

Before vendors came along with elegant solutions to solve desktop environment challenges, it

was reasonably common for IT admins to cobble together their own rudimentary solutions for

desktop management.

For instance, if you couldn’t install two applications on the same desktop, admins would simply

install the applications on two different servers (siloing them), and publishing the applications

for use. Poof! Instant workaround!

But, with workarounds come problems. While this reduced application conflicts, now the silo

introduced problems ensuring that user’s preferences are available across different hosts and

kept consistent between sessions!

So Roaming Profiles (in Microsoft Windows) were introduced to store and recall settings. The

goal of Microsoft Windows Roaming Profiles goals was to store user-changed settings so they


Smackdown


were recalled and available the next time the user logged on, or when the user changed ma-

chines.

But with Roaming Profiles came other problems. Some problems with roaming profiles were

real, actual problems. Other problems with roaming profiles felt like real problems, but instead

were misunderstanding or perception problems. Other problems were simply mere annoy-

ances with the way Microsoft handled roaming profiles’ implementation. Let’s break down the

three categories of roaming profile issues:

Roaming Profile implementation annoyances

Roaming profile “real problems”

Roaming profile “perceived problems”

Roaming profile implementation annoyances

Roaming profiles should have been implemented such that it was drop-dead easy to roam

from machine to machine and operating system to operating system. However, the implemen-

tation from Microsoft is simply not that way.

Instead, Microsoft’s recommendation is that all versions of the profile (mostly based upon op-

erating system revisions) should be siloed. That is, you shouldn’t intermingle user preference

data from one version to another; nor can you intermingle 32 and 64 bit profiles (Microsoft KB

http://support.microsoft.com/kb/2384951).

Therefore, the Operating System to Profile Version chart looks like what’s seen in Figure X.

Then after successfully siloing each operating system’s data, the next prescription would then

to use Redirected Folders to get to end-user data. The end-result would be roaming from ma-

chine to machine, regardless of machine type. And even though there was a different profile

for each operating system, at least the user could access the same data, because of the folder

redirection.

Roaming profile “real” problems:

Besides the implementation annoyance of having to silo roaming profiles, there are some ac-

tual real problems with roaming profiles.

Over time, lots of user settings can be stored in the profile. And therefore at login time, when

speed is most needed, that time is wasted loading the (now large) user profile. That being said,

even since Windows XP, roaming profiles only need to download only the NTUSER.DAT file and

http://support.microsoft.com/kb/2384951


Smackdown


only the changes between the profile and what's already on the machine. This does pose a real

problem for non-persistent VDI desktops and whenever users log into a brand new machine or

session, because that first login is always downloading the whole profile; thus being slow (the

first time.)

Another real problem of roaming profiles is that if a user made an undesired change or for

whatever reason the user's state needed to be restored, there was no good way to do this.

Even performing a real backup and restore could sometimes not restore the state back as us-

ers expected.

Roaming profile “not real” & perception problems:

It is definitely true that you can corrupt a profile if you don’t heed Microsoft’s warning to silo

your roaming profiles based upon operating system. And in the distant past, it was quite easy

to roam from Windows NT to Windows 2000 and causing actual profile corruption along the

way.

One of the perceived problems with roaming profiles might not actually be a problem at all.

Since windows 7 and continuing on to Windows 10, actual profile corruption could be a per-

ceived phenenomon as opposed to a real actual problem occurance.

This blog entry from Mike Stephens at Microsoft really says it all, and is worth a read. It's enti-

tled "Mythical Creatures - Corrupt User Profiles" and is found here.

If you want a second opinion from a profile expert read "Corrupt User Profiles - Do They Even

Exist?" which is found here.

Said another way, roaming profiles are not without problems and drawbacks. But actual hard-

core “corruption” could simply be misintrepration of what is really occurring on a system.

Using scripts to compensate for Roaming Profiles and missing functions out of the box.

Logon scripts, logoff scripts, startup scripts, shutdown scripts and manually executed scripts

have often been used to work around in-box limitations where IT admins have wanted to en-

hance the user environments.

Script engines like VBscript, KiXstart, Powershell, and others aren’t usually optimized for speed

nor do they often have error handling or reporting. Scripts cannot cater for everything a user

could potentially do during their session. Scripts also have to be maintained by engineers who

understand how to write and maintain scripts. Which is good for job security but bad for conti-

nuity, agility and long term supportability.

Some organizations have even written their own full-blown in-house UEM solutions because,

historically, the market wasn’t mature enough with commercial solutions. Even if an in-house

UEM solution works reasonably well, even one minor feature change could introduce a large IT

cost to build and maintain as well as distract the IT team from other important tasks.

http://blogs.technet.com/b/askds/archive/2010/10/20/mythical-creatures-corrupt-user-profiles.aspx


Smackdown


4.4 WHY UEM?

Now that we’ve established why UEM was needed, let’s continue onward with a slightly differ-

ent angle. Let’s try to sussinclty answer the question: “What are the primary reasons for imple-

menting any UEM solution?” The potential answers are as varied as they are many:

Improve user experience when logging on

Migrate between OS’s while maintaining user settings

Enable installing of user’s own applications (User-installed applications)

Avoiding use of Windows Roaming profiles

Extending Group Policy to do more (and go to more places)

Replace scripts with something graphical and consistent.

Provide better and granular support of user and application preferences.

Enforce / enable access to applications, file-types, (removable) devices, network and

data resources.

Enable context awareness (ie: Based on user location, device and custom settings,

grant access to applications, data, network resources, devices and preferences dynam-

ically)

It facilitates Resource Management to control and optimize usage of CPU, Memory re-

sources with focus on applications and (Virtual) Desktops.

Facilitate BYOD

Layer applications not already found in the base image

Hide applications pre-installed in the base image

Report on detailed information changes inside the User Environment Management en-

vironment which could be needed for compliancy and certification standards such as

Persona Information Acts (HIPAA), ISO 27001, SOX and NEN 7510.

Audit and monitor user environments for security events


Smackdown


5. IN-BOX UEM FROM MICROSOFT

Almost all IT departments use Windows as their platform of choice; and as such all the areas

we discuss will be Windows-centric. And with the pre-paid investment in Windows already

comes a small advantage: there’s already a UEM solution in the box from Microsoft.

This section explores what is ostensibly “free” since it’s already paid for and in most cases al-

ready partially or fully utilized. Most organizations will have a Microsoft environment and with

that comes the license agreement. That license agreement hands you an in-box UEM solution

from Microsoft. Is this one product? No the UEM solution Microsoft is handing you is a combi-

nation of multiple tools imbedded in Windows. With the Microsoft license agreement comes

Group Policy and Group Policy Preferences. Depending on the license agreement, SA licensed

or not, you get access to UE-V. These tools will offer you a basic UEM solution that might just

do for you. For more advanced UEM features or more complex scenario’s you need to look at

other vendors to complement Microsoft in your organization.So first we will show you what

Microsoft has to offer, you have to understand what is there before you can decide if it will do

for you.

5.1 MICROSOFT’S OWN IN-BOX UEM SOLUTION: GROUP POLICY AND GROUP POLICY PREF-

ERENCES

Microsoft’s solution for User Environment Management is built in the Group Policy mecha-

nism.

There’s a lot to be said for the native Microsoft tools. Both Group Policy (GP) with Group Policy

Preferences (GPPrefs) form the basis of an excellent solution for managing computers and the

user environment.

Indeed, Microsoft acquired DesktopStandard in order to acquire Group Policy Preferences,

which has positively delighted many administrators since its inclusion in 2008.

However some customers find that Group Policy either requires additional 3rd party add-ons

(Group Policy is extensible) or a complete replacement via alternate solutions.

Group Policy does a great job for managing the Microsoft pieces in the box. Microsoft ships

more than 3500 policy settings that will set and lock down various operating system look and

feel items and set various security settings. That being said, there are two types of settings

within the Group Policy system:

Policy Settings: These are “True policy” in that a standard user cannot actively work

around these set settings. These are all the Adminitrative Template items and security

items.

Preferences Items: Microsoft’s Group Policy Preferences acts differently, in that nearly

all the directives can be worked around – by design – by the user. That’s why they’re

called “Preferences.” For instance, Group Policy Preference’s most popular features

are delivering Drive Maps, Printers and Shortcuts. And the user at whim can delete all


Smackdown


of these settings. It is notable that Group Policy Preferences settings can re-apply dur-

ing Group Policy background refresh, but only if the client can actively make contact

with a Domain Controller and is not offline.

The Group Policy ecosystem is only a “settings delivery” mechanism and doesn’t care what

happens after the settings are delivered. After settings are delivered, if a user changes “user

controllable” areas, then Roaming Profiles will typically contain these settings.

Group Policy and Group Policy preferences’ additions greatly enhance the administrator’s

toolbox and opportunities for managing the user environment; however there are several im-

portant pieces still missing from this arsenal:

• Microsoft’s own Roaming profiles have the same continued challenges: Roaming Pro-

files are still only supported per OS – organizations are unable to provide application

settings across operating system versions.

• Scripts could still be necessary for some tasks: Scripts might still be needed, and main-

tained plus they continue to have the same limitations as the scripts we used to write.

Though skillful use of Group Policy Preferences can often eliminate the need for many,

if not all, of a company’s scripts.

• Some Group Policy Preferences items have not been made upwardly compatible with

Windows 10, such as File Open assignments.

As stated, a Group Policy infrastructure is made up of Group Policy Objects (GPOs) and can na-

tively contain directives called Policy or Preferences, but is also extensible to 3rd party direc-

tives.

Group Policy can be configured by creating a GPO and linking the GPO to a Site, Domain or Or-

ganizational Unit in Active Directory. GPOs can contain both User and Computer side direc-

tives. The configured settings are applied by the client at startup, logon and approximately

every 90 minutes in the background (processed independently on User and Computer side.)

Group Policy Preferences provides 21 user-environment management (UEM) abilities to Group

Policy and works from Windows XP clients onward. Group Policy Preferences greatly extend

the possibilities to configure the user environment and in many cases eliminates the need for

complex logon scripts.

Group Policy Preferences’ most popular features include delivering drive mappings, shortcuts

and printer assignments

Roaming Profiles may or may not be used with Group Policy. That is, there is no “all or noth-

ing” with regard to Group Policy and Roaming Profiles. Many organizations choose to take ad-

vantage of Group Policy and Group Policy Preferences without ever turning on roaming or

mandatory profiles.

The configuration of roaming or mandatory profiles is usually handled using Active Directory

Users and Computers directly upon a users’ Active Directory account.


Smackdown


Benefits

Group Policy, Group Policy Preferences are free as they come with the Microsoft Windows in-

stallation. Since it’s in the box most administrators have had some use of Group Policy and/or

Group Policy Preferences.

Other benefits are:

Works across any Windows experience - Physical, Virtual, and Laptops.

Works across all Windows operating systems from Windows XP onward; continued

support for all Windows 10 endpoint systems.

Compatible with Microsoft RDS, VMware Horizon View, Citrix XenApp and Citrix

XenDesktop.

No software to install on desktops, no additional shell environment.

Data stays in Windows native format, you're never locked into a data jail.

No architecture to deploy – everything is stored on domain controllers; the Group Pol-

icy client is already on all Windows endpoints.

One-single solution for all of your Windows desktops.

Rich history of being extended by 3rd parties to perform specialized functions that are

not present “in the box”.

Functionality

With Group Policy Settings, the main functionality is:

Configure the look and feel of the desktop for in-the-box Windows functions (Control

Panel, Desktop, etc.)

Manage security aspects: underlying operating system, firewall security, application

whitelisting / blacklisting (AppLocker)

Lockdown supported areas to prevent unauthorized changes to the system.

Configure behavior of roaming profiles, folder redirection and offline files

With Group Policy Preferences, the following functionality is available for user and computer

configuration (user-side shown in screenshot below):

Map Drives, Printers, Shortcuts and more.

Set environment variables.

Deliver files, create folders folder.

Simple INI files and Registry edits.

ODBC settings.

Perform device restrictions.

Set folder options, Internet Explorer settings, Start Menu.

Group Policy Objects and Preferences contain functionality to configure both the user and

computer as well. Generally, when a computer receives a computer-side setting, all users who

use that computer are affected.


Smackdown


Context-awareness using Item-Level Targeting

Group Policy Preferences items have a rich collection of built-in “Item Level Targeting” filters.

These enable specific Group Policy Preferences items to affect machines specifically based on

location, machine, group, IP address, OU, and other filters.

Figure 1: Targeting

A partial list of ILT filters is shown in the screenshot. A full list of context-aware ILT filters can

be found at http://technet.microsoft.com/en-us/library/cc733022.aspx

Architecture

Active Directory Services is required to centrally manage and assign Group Policy Objects and

Preferences. Although some Group Policy settings can be configured on each computer – one

by one -- locally (using gpedit.msc). This is not a great option when mass configuration in an

enterprise environment is desired.

Group Policy Objects containing Policy and Preferences can be linked to Active Directory at dif-

ferent levels (sites, domain, OU) and directed to users and/or computers.

When using multiple Group Policy Objects, the processing order is always: Local, Site, Domain,

OU. The last effective Group Policy Object wins, but higher-level administrators can always en-

sure their directives “win” by using the “Enforced” setting upon a GPO.

Some Group Policy settings directly or indirectly change registry settings. Microsoft provides

Administrative Templates (*.adm, admx), which affect operating system settings, and some ap-

plications like Microsoft Office or App-V.

http://technet.microsoft.com/en-us/library/cc733022.aspx


Smackdown


Licensing

No additional licenses are needed to get started with Group Policy Objects and/or Group Policy

Preferences. The default Windows Client Access License is enough.

Speed concerns

While there are some reasons that Group Policy could be slowing down a startup or a login, in

practice the most common reason Group Policy can be perceived to be “slow” is the improper

use of startup and login scripts which try to perform “too much”; such as copying large files

(every time at login), waiting for user input (and timing out), or referencing servers which don’t

exist -- thus holding up prescious startup or login time. Another common reason for slow-

downs is trying to deploy “very large” printer drivers via Group Policy Preferences (which can

be 30 – 500MB depending on the vendor.)

Said another way, when using Login or Startup scripts, or deploying large printer drivers via

Group Policy, Group Policy is performing exactly what it’s supposed to do.

While not every administrative action can be accounted for, the Group Policy engine itself has

several built in throttling mechanisms to specifically prevent slowness at startup and login:

Each GPO has a “version number” so that GPO’s contents are not re-downloaded if a

client has already seen the contents of a GPO. Said another way the client doesn’t re-

download each GPO every time, it only downloads new or changed GPOs, automati-

cally speeding up startups and logins.

Starting in Windows XP (and continuing onward thru all Windows clients), all Group

Policy operations are, by default, performed in the background when possible. This

prevents most slowdowns from even being “felt” by the end user.

Starting in Windows 8.1, and when synchronous processing is required, the client will

use “locally cached GPOs” which exist on the client machine to speed login time (which

would have traditionally occurred over the network).

Starting in Windows 8.1, one of the more popular Group Policy Preferences items,

Drive Maps, was re-written to always work in the background, speeding up login time

whenever Group Policy Preferences Drive Maps was used on a client, and therefore all

Group Policy processing overall.

Starting in Windows 8.1, login scripts are delayed for processing until 5 minutes after

login. This is to prevent disk contention during the most critical time of setting up the

users’ Explorer and (possible first time profile setup.) The delayed login script feature

of Windows 8.1 is is configurable to any value, including turning this feature off.

Therefore, Group Policy’s slowness can be mitigated when admins know where to look. In

these cases, a wholesale “replacement” of Group Policy and Group Policy Preferences for an-

other tool which replicates the Group Policy or Group Policy Preferences functionality isn’t

something every company should be looking to do until they’ve exhausted all troubleshooting

options with the Windows product they’ve already paid for.


Smackdown


For very detailed information about finding and locating Group Policy slowdown issues, see

Group Policy: Notes from the Field - Tips, Tricks, and Troubleshooting, a talk from TechEd

North America 2014 from Jeremy Moskowitz, Group Policy MVP found here.

5.2 A QUICK NOTE ABOUT MICROSOFT’S AGPM

Microsoft’s Advanced Group Policy Management (AGPM) gets a special note here for two rea-

sons.

First, Microsoft AGPM is often misunderstood in what it can and cannot do. Specifically, Mi-

crosoft AGPM adds “change management” around Group Policy Objects themselves. That is,

AGPM’s main goal is to help multiple administrators create, edit, approve and rollback GPOs in

a systematic way.

Contrary to popular believe, AGPM provides zero added client-side superpowers or benefits

beyond what’s already in the box with Group Policy and Group Policy Preferences.

AGPM is simply a way to store GPOs “offline”, manage them with a team, and put them into

production in a systemized fashion.

For a quick rundown of AGPM Myths and Facts, see the document at (this link).

As a side note, AGPM 4.0 SP3 was recently released with minor update to work with Windows

10 clients and recently added Powershell support.

5.3 MICROSOFT’S “NOW INCLUDED” ROAMING PROFILE REPLACEMENT / SUCCESSOR: UE-V

In previous UEM Smackdown papers, Microsoft’s UE-V was considered a “competitor” to other

UEM solutions found in the next section of this paper which sought to work around the limita-

tions of Roaming Profiles.

That’s because Microsoft previously sold and licensed UE-V as part of a suite of utilities called

MDOP or the Microsoft Desktop Optimation Pak. But Microsoft doesn’t sell MDOP anymore.

MDOP is now simply included to all Software Assurance customers.

Therefore, understanding UE-V before investigating 3rd party UEM tools is paramount, because

ostensibly, you can think of UE-V being almost like it’s “in the box” now for Software Assurance

customers.

Architecture, Operations and Functionality Overview

Microsoft UE-V has main four components:

UE-V Agent (as an MSI);

UE-V Settings Location Templates;

UE-V Settings Storage Location.

UE-V Template Generator utlity.

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/WIN-B328#fbid=

http://blogs.msdn.com/b/customer_reviews_of_stb_products/archive/2013/01/31/microsoft-advanced-group-policy-management-agpm-myths-and-facts.aspx

https://technet.microsoft.com/en-us/library/mt346469.aspx

https://technet.microsoft.com/en-us/windows/mdop.aspx


Smackdown


The UE-V agent must be deployed to all machines where user preferences are to be managed.

The agent looks for the presence of UE-V templates on the machine or a network location de-

fined by the administrator. UE-V templates define the application to be monitored and the lo-

cations within that application to monitor. The UE-V agent then traps user-created preferences

changes to applications and stores them remotely for later use. UE-V storage of settings can be

stored in a file share or the users home drive.

When applications are launched (on the same machine or different machine), the user’s appli-

cation settings are downloaded before the application is launched. The UE-V agent will send

the user’s changed settings back at the following times: Logon, logoff, locking the machine, un-

locking the machine and connecting to an RDS session.

If the user is offline when he makes an application settings change, then it is stored and for-

warded the next time the user connects. Lastly, UE-V has a PowerShell interface to accept a

command that can roll back settings for a particular application to an initial state.

Additionally available is the UE-V Generator utility, which enables administrators to create

their own templates for most applications.

Benefits

UE-V is a step up from Microsoft’s traditional roaming profiles because only the applications’

settings the user needs are downloaded at application launch time, instead of the entire pro-

file and all settings being downloaded at login time.

UE-V ships with some UE-V templates to help roam common Microsoft applications such at In-

ternet Explorer, Microsoft Office, and operating system desktop settings and accessories.

UE-V also ships with a template Generator utility that enables administrators to create their

own templates for well-behaved applications.

Microsoft officially supports the in the box templates for UE-V, and also has non-supported ad-

ditional UE-V templates available for download in the UE-V Gallery (link here).

The UE-V agent can be managed using Group Policy with downloadable ADMX templates and

adive from this link.

Detractors

There are some known issues with UE-V as follows:

There is no “Roaming Profiles to UE-V” wizard to help existing administrators migrate

from roaming profiles, although administrators could run both solutions together dur-

ing a migration phase.

UE-V is now out for several years, and there really is still no guidance or documenta-

tion from Microsoft to help administrators migrate from roaming profiles to UE-V.

UE-V is not supported on Windows XP and there are no plans to make it work on Win-

dows XP machines.

http://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=RootCategory&f%5B0%5D.Value=UE-V

https://technet.microsoft.com/en-us/library/dn458893.aspx


Smackdown


Licensing and Download

UE-V is ostensibly free for al Microsoft SA customers.

UE-V is download as part of the MDOP (Microsoft Desktop Optimization Pack).

More info on licensing MDOP (which includes UE-V and AGPM as discussed in this document)

can be found at (this link.) Again, MDOP contains six total tools, of which UE-V is just one of

them.

http://www.microsoft.com/mdop


Smackdown


6. BEFORE DECIDING ON A 3RD PARTY UEM SOLUTION

Most of the remainder of this paper details 3rd party UEM solutions. Because no two solutions

are alike, and there is Microsoft’s in-box UEM tools (Group Policy, Group Policy Preferences

and UE-V), here are some items you might want to think about before you even start to inves-

tigate any 3d party UEM tool.

6.1 FREQUENTLY ASKED QUESTIONS (FAQ) ABOUT 3RD PARTY UEM TOOLS

Q: Now that Microsoft has its own roaming profile replacement tool (Microsoft UE-V) and

it’s ostensibly “free” tool (for SA customers), what does this mean for me as an IT admin, and

what does it mean for other UEM vendors?

A: The release of a true profile management solution by Microsoft is a significant step in vali-

dating that profile management and cross desktop roaming matters to enterprise customers. It

effectively confirms that profile management has now become a commodity, especially now

that all of the 3 main desktop virtualization vendors (Microsoft, Citrix and VMware) essentially

bundle roaming profile replacement solutions with their core products.

Microsoft is marching forward with developing UE-V features, but they are effectively behind

other UEM players in terms of maturity and feature sets.

If you are a Microsoft SA customer you might first take a look at your Microsoft tooling since

they are included in the license. Depending on your business requirements you might want to

look at other UEM solutions.

Q: Do 3rd party UEM solutions make desktop virtualization projects cheaper?

A: So, you need to be careful when asking this question. All the vendors with 3rd party UEM so-

lutions will try to “Yes” to the question “Does UEM make managing the desktop cheaper?”

The short answer to this is No, it won’t make it cheaper, UEM is not meant to make projects

cheaper, it’s meant to offer you a solution in the end-user environment that makes end-users

more happy and flexible. It will, when implemented correctly, save money on management of

the environment.

Q: Do these solutions make desktop virtualization easier and faster to implement?

A: Customers who already have User Environment Management solutions deployed should see

a benefit and improvement in deployment times and adoption when implementing desktop

virtualization (or even a new physical desktop) – in-house knowledge and processes should al-

ready exist making implementation simpler and thus faster.

If the customer is migrating from an existing desktop environment to new environment, these

tools are intended to assist in migrating profiles and login scripts from the older desktops into

the new desktops. This would be the ideal way to ease entry into desktop virtualization; how-

ever other than replacing scripts with GUI tools, desktop virtualization may not necessarily be

faster. It will make implementation easier as you can guarantee that settings are deployed to

each and ever desktop identically.


Smackdown


Q: How difficult are 3rd party UEM solutions to install, configure and maintain?

A: Although some of these solutions have been around for some time, the knowledge required

for implementation is not as broadly available as those that are included with the in –box Win-

dows UEM tools. The difficulty of using a solution depends per product; one is more difficult to

learn than the other. In general you could say that anyone with several years of experience in

IT should be able to learn if rather fast. This knowledge “issue” is also there with the standard

in-box Windows possibilities, to use the tools offered there requires learning as well. If you

start with a solid understanding of what you want to solve you’re half way there.

Technically, all UEM products were niche solutions – trying to solve a particular problem. Re-

member that many UEM solutions sprang from problems born from the world of Terminal

Server deployments and the problems found there.

As you consider a 3rd party UEM solution, making a decision implementation includes knowing:

• Infrastructure requirements - database and file storage, network requirements etc.

• Configuration optimization - creating an initial configuration and optimizing it as the

project progresses.

• Implementing the best configuration solution for specific scenarios – there are multi-

ple ways to solve a configuration scenario.

• Training and staffing: who is going to “own” this new 3rd party UEM solution in your

organization. How will you train the next team member?

Q: Do these solutions replace any existing tools/processes?

A: In most deployments, large portions of logons scripts (VBscript, Jscript, KiXtart) can be re-

placed with graphical user interfaces from different UEM solutions. That should, in theory,

generalize the knowledge required to support the user environment (replacing specialized

knowledge). As you move more and more User related management in one tool other tools

and processes might be obsolete. Will it replace all tools you currently use? Probably not, but

that will differ for each organization.

Q: Are all UEM vendors selling the same thing?

A: Actually, no.

It’s true many UEM vendors are first and foremost trying to resolve the issues with “Roaming”

Profiles and often make logins faster.

That being said, some UEM vendors aren’t trying to do anything like that at all.

And still other UEM vendors are also selling add-ons to their core solutions and branching out

to other areas as well.

For instance, AppSense, RES, Citrix, VMware and Microsoft all have something that tries to re-

place in-box Roaming Profiles.


Smackdown


But vendors like Unidesk and FSLogix are building solutions, which add (or hide) application

layers, making applications interchangeable on an already-delivered desktop.

And, to take a brief look at some other varying examples, AppSense, RES, Liquidware Labs, and

PolicyPak Software are all taking very different approaches with their portfolios.

AppSense is branching into Mobile Device Management, Data Access and User In-

stalled Applications

Unidesk layers applications on VDI images

FSLogix hides applications pre-installed in golden images

Liquidware Labs has branched out to User Installed Applications and application layer-

ing

RES now delivers Workflow Automation, Data Access and an Service Store as well a se-

curity in their UEM solutions

PolicyPak focuses on “what’s missing” in Microsoft’s portfolio and leverages customers

existing Microsoft Group Policy or SCCM intrastructure and/or AGPM, Roaming Pro-

files or UE-V to make a complete solution.

Q: Will Windows 10 change the game?

A: When Windows 8 was released, Microsoft introduced some new roaming features with

modern (aka Metro / Universal) applications. These settings can be roamed when users marry

their on-premises accounts with a Windows SkyDrive account. Or, they can also be roamed

with Microsoft’s product UE-V, discussed earlier.

What about Windows 10? The main feature of Windows 10 is that it’s supposedly the “last”

version of Windows, with in-place upgrades going forward. In this way, it becomes less im-

portant for UEM vendors to say that they are always on the bleeding edge of operating system

compatibility, because eventually, nearly all systems will be on Windows 10.

Therefore, UEM solutions will always be needed to fill the gap, to manage the desktop experi-

ence, and provide an awesome experience for end-users. Will Windows 10 be a game

changer? I don’t think so, I think the game changer has been the development in storage that

made virtual desktop environments more interesting from a cost perspective. Before storage

was the bottleneck for many many disks where needed to offer any performance, today speed

isn’t an issue and more organizations move to virtual desktops and of course Window 10.

Q: Do these solutions really help with Application Virtualization, or is that just marketing?

A: Yes. Various UEM solutions can actually manage user personalization data inside of “bub-

bles” or “sandboxes” where virtual applications reside.

If you’re using Application Virtualization products like App-V or ThinApp, then ensure your

UEM product works alongside it and can manage and/or roam user’s settings from within the

bubbles.


Smackdown


The market of application virtualization is shifting from virtualization to layering as Unidesk,

Liquidware Labs Profile Unity and VMware Appvolumes offer application layering methods

where applications are installed in reference machine and attached to desktops when needed.

This is not virtualization and won’t isolate anything. It is a new way of offering departemental

applications.

6.2 WHAT ELSE SHOULD I LOOK FOR IN A UEM TOOL?

Remember that no UEM tool is right for everyone. As such, here are the key items to look for

within all the tools in this guide, and see which one is right for you.

User personalization and/or Application and Desktop Management

This is typically the core of most UEM tools, but not all. The usual complement of features

would be items like:

• Configure the users look and feel of the desktop

• Assign drive mappings to network shares

• Assign printers

• Assign applications and corresponding settings

• Set, change or delete Registry settings

• Provision specific application settings, such as Microsoft Outlook profile(s)

• Provision Database connection settings (ODBC)

Both in-box Microsoft’s Group Policy / Group Policy Preferences Preferences and, in general,

3rd party UEM solutions offer the possibility to make many of these configurations. The differ-

ence to Microsoft offering and the other UEM solution is that most others are offering context-

awerness with all the features. Allowing you to controle when a printer is connected and when

a setitngs is loaded versus it is loaded always at logon in every scenario.

Whitelist / Blacklist: Application Access Control

As of Windows 7 Microsoft provides Applocker which can be used to allow or block user-con-

text applications from running. New to Windows 10 is DeviceGuard, which can provide both

user-mode and kernel-mode code integrity.

That being said, some UEM solutions give the IT admin-enhanced ability to strictly determine

what applications the user is allowed the use, and make that context aware. For instance,

when working on a desktop on-premises the user is allowed to access and use the HRM data-

base application. However, when accessing a desktop from a computer at home the HRM da-

tabase application is not available. This functionality can be extended to time, location, device

or with specific requirements on the computer the user uses. With security management, the

User Environment Management solution provides and enforces access to applications.

Some vendors offer the ability to deliver a functionality of an application or button in an appli-

cation based on a user or group whereas other cannot do this other than per server/desktop.

User Rights Management / Elevation


Smackdown


Newer to some 3rd party UEM tools is the ability to sidestep UAC prompts.

If you want to accelerate your walk away from admins on all workstations, consider a solution

which enables you to specify where UAC prompts can be automatically run with admin rights.

Resource Management

Resource Management monitors individual users and/or processes for excessive usage and

takes appropriate action when exceeding thresholds. In addition logging of these events can

be very useful to determine system bottlenecks. This can help pack more users onto shared re-

sources like VDI and RDS.

License Management

UEM solutions with license management enable you to configure the licensing model (per

named user, per device/system, concurrent user or site) for each application.

License management can provide insights into application usage. With monitoring application

usage, organizations can better determine the amount of licenses needed. In some cases this

means that many users don’t use specific applications and therefore savings are possible.

Monitoring, Auditing and Reporting

Make sure that the UEM solution you invest in has reporting that makes sense for your organi-

zation. Sometimes “too much” reporting means you wont use it at all. Likewise make sure you

understand how to troubleshoot your UEM solution so when something goes wrong, you have

a basic understanding of what to try to fix.

“Just in time” / Layered Application Delivery / User-installed applications.

Some UEM solutions can help you manage your number of gold images.

They will enable you to layer applications on after the image is deployed.

Others will help you hide applications after the image is deployed.

Others will enable you to provide a method for users to install their own applications.

Just-in-time delivery achieves several things:

1. It improves the user experience by allowing the user to get to their applications and

data faster – the user is productive sooner.

2. IT has better control and view of the user environment because we are now having a

clearer view of the user layer.

3. The business can now have more trust and confidence in their computing environment

because it can be a more proactive environment.

A way to think about why you might need Just-in-time delivery of applications is shown in Fig-

ure 3. Here you can see that the largest percentage of users uses the same number of applica-

tions (say, Microsoft Office.) But the more applications you have, the fewer number of your us-

ers actually utilize them.


Smackdown


Figure: Applications in specific user context

Source: Citrix

You might also need the ability to enable users to install their own applications.

This might sound odd within the context of User Environment Management – allowing users to

make changes in a managed environment, but this will become part of the toolset for getting

any application to the user in any context.

6.3 THE FUTURE OF UEM AND THE UEM SMACKDOWN

One question I get on a regular basis is how do you see the future of this document? Will there

be a next version alike?

In the field we all see customers working with a versatile number of devices working while us-

ing resources in a cloud or on on-premises. These devices need to be managed. They have ap-

plications, data and settings that need central management. This is not different from the UEM

management where we want central management for applications, data and settings for em-

ployees working on FAT clients or in a virtual environment. Merging of those two businesses is

coming our way, there is no us and them anymore in the near future. UEM and EMM will

merge into one, there is no way we can stop that. In the future, and the future is now, users

will work on different devices expecting the same experience everywhere. UEM and EMM will

need to work together offering that, one managing the device the other everything on the de-

vice. Look at what VMware is doing with UEM and Airwatch and Horizon View, look at what

Microsoft is doing with Enterprise State Roaming and OneDrive. Citrix also has all the tools in

hand with XenMobile, VDA agent and receiver to manage any device for any user.

So to answer the question, I think the next version or at least one of the next versions will be a

merge of the two worlds, a workspace management smackdown of some sort, perhaps a dif-

ferent name but one with both worlds combined.

http://blogs.citrix.com/2011/08/24/personal-vdisks/


Smackdown


7. SOLUTION OVERVIEW

7.1 INTRODUCTION

To get an overview of the major players in the User Environment Management space, a num-

ber of solutions are explained in this chapter (sorted alphabetically by vendor). These solutions

have a broad range of lighter functionality to “everything included” functionality.

This time we’ve done things a bit different, before we played the teacher who would take out

too much marketing fluff of what was deliverd. That was a huge task and actually not one I was

looking forward to. One vendor might think I cut them short in favor of the other. So in this

edition we let the vendors go free, they all got the freedom to write four pages about their

product, their solution, their suite. I don’t mind what they write, they have four pages to con-

vince you they are what you need.

Some vendors are small some are Enterprises, some are part of bigger companies. All vendors

have equall amount of pages to write on, we don’t judge we compare.

I call this the UEM Vendor marketplace so mind the step, when you enter this chapter you

leave the unbiased sector and you’re in the hand of marketing. Hope we see you again in

chapter 8.


Smackdown


7.2 VENDOR MATRIX, WHO HAS FOCUS ON WHAT!?

There are quite some vendors in the “User Environment Management space”. The diagram

below gives an overview of the focus of the various User Environment Management (UEM)

software vendors. This diagram has nothing to do with the (possible) discussion which vendor

provides the most and the best functionality and features. A complete overview of the fea-

tures and functionality is available in chapter 6 – Feature Overview.

Vendor Product

Use

r P

rofi

le M

gmt

Use

r P

erso

nal

isat

ion

Ap

plic

atio

n A

cces

s C

on

tro

l

Use

r R

igh

ts M

anag

eme

nt

Re

sou

rce

Man

agem

en

t

Lice

nse

Man

agem

en

t

Ap

plic

atio

n D

eliv

ery

Mo

nit

or,

Au

dit

an

d R

epo

rt

Appixoft Sense

AppSense DesktopNow

Citrix User Profile Management

Dell Wyse vWorkspace

Liquidware Labs ProfileUnity

Microsoft GPO, GPPrefs, USV, UE-v

Norskale VUEM

PolicyPak PolicyPak Application

Manager

RES ONE Workspace

Tricerat Simplify Suite

VMware Persona Management

VMware User environment Manage-

ment


Smackdown


7.3 APPIXOFT

Introduction

AppiXoft enhances productivity for both end-users and administrators with the Scense UEM

solution. Scense makes it easy for the administrator to provide great and consistent user expe-

rience.

Scense WSM extends the workspace as we know today to a personalized and customized one.

Universal access to IT resources, a context-aware user experience, location services, Live Pro-

files, software metering, reporting and dynamic printer management all ensure a high level of

freedom and personalization for the user, while leaving control firmly in the hands of the IT de-

partment. Scense Workspace Management is a true One-Stop shop for solutions to your IT

challenges of today and tomorrow.

Solution

Scense has been known for years as an easy to use, efficient workspace management solution

for desktop environments with Pc's, laptops, terminal services and virtual desktops. Managing

workspace environments with temporary staff, task workers and power users has never pro-

vided any challenges to Scense administrators. The latest release, Scense 10, continues to ad-

dress the latest IT challenges and use cases in the same elegant way.

Figure 2: Scense 10

Employee owned devices (BYOD, BYOC and CYOD) - Scense supports unmanaged devices

without the need for a complex to manage and expensive data center for hosted desktops or

terminal server sessions. Earlier versions of Scense have resulted in already tens of thousands

of end users using their own laptop or PC to use corporate applications and resources. As op-

posed to the way previous Scense versions made it possible to do ‘on premises’ BYOD, Scense

will be able to service BYOD remotely over the internet, including software distribution.

The Scense location services and context awareness will address the IT managers’ most urgent

concerns related to fear of data loss or leakage, compliancy rules and, last but not least, dirty

PC’s. At the same time, Scense Live Profiles will ensure a consistent user experience for the

end user by transferring personal application settings between corporate, managed and per-

sonal devices.

Mobile users - Facilitating mobile users with access to corporate applications and data, while

keeping IT regulations in place, has been a challenge for both administrators and end users for

years.


Smackdown


By delivering workspace management over the internet, end users are able to use corporate

resources or add new applications as soon as internet is available. No more hassle with VPN

connections or network cables. At the same time, IT is able to update machines of mobile end

users and enforce IT policies in real time to mobile devices. A mobile user is no longer a risk to,

but a friend of the IT department.

Functionality

Scense contains many unique, innovative, features that focus on user freedom, as well as con-

trol by and cost savings for the IT department. The new service oriented architecture of Scense

extends the reach of these features outside the corporate network.

Figure 3: Scense service oriented architecture

Dynamic Application Delivery and Control - Applications and all related information, like user

settings, policies, drive mappings or printers, are centrally managed and dynamically delivered,

personalized and configured accordingly to the circumstances under which a user operates.

Context aware access to these applications is provided in a secure, safe, efficient and elegant

way.

Conflict Free Provisioning - Scense “Conflict free Workspace Provisioning” is based on a tech-

nology called “Adaptive Installer: unique technology that enables real-time conflict isolation

during the installation of a Windows application. In combination with the integration of all ma-

jor application virtualization vendors, Scense always provides a 100% conflict free workspace,

even on unmanaged PCs and without the need for a client hypervisor.

Scense Live Profiles - A fire and forget solution for user profile management. Workspace and

application related user settings are separately and centrally stored but transparently available

regardless of the version and architecture of the Microsoft Windows operating system and ac-

cessible throughout the entire landscape of physical and virtual desktops, laptops, terminal

server sessions, unmanaged PCs and natively installed and virtual applications.

User Workspace Management as a Service - With the support of WCF, the Scense Engines run

within Microsoft’s Internet Information Services. IIS's scalable and open architecture is ready

to handle the most demanding tasks. The switch to WCF also results in a change of communi-

cation protocols, opening up new use scenarios. The full Scense service portfolio will be availa-

ble over the internet, including application distribution.

Real time Monitoring and auditing - Scense’s “Session Control Engine” provides the adminis-

trator with real time information and control over his desktop environment from machine

startup until machine shutdown. Intervene directly, in real time when problems arise. Block


Smackdown


applications instantly, provide the end user with understandable messages, install on the fly

updates or applications and implement new policies when needed.

Self-service and Remote Support - Because of Scense’s session control engine, administrators

are empowered to proactively prevent desktop problems from happening. When issues do oc-

cur, users are encouraged to address these themselves. Repairing applications, refreshing

workspaces or resetting parts of the user-profile are all available to all user types: locked down

or not managed at all. Remote support functionality is available for the rare occasions that it is

really needed.

Software Metering and Reporting - Scense will track the usage of applications on all work-

stations and store this information in the central database from which clear and informative

reports are generated by the Scense Report Viewer. Scense comes with several preset reports

that show application usage in several ways. Reports can be added and modified. Having a firm

grip on costs is very important for the IT manager. Excessive software costs coming from un-

necessary renewals or over-compliance on expensive software can very easily stack up to large

amounts. IT Managers who are looking for ways to reduce the IT expenses will quickly appreci-

ate the insight Scense Software Metering will bring to them.

Architecture

Scense is easy to install, has minimal impact on your existing IT architecture and will support

on premises and hosted environments.

Figure 4: Scense Architecture


Smackdown


The server elements of Scense are installed centrally in the company’s data center or hosted

externally. Scense supports centralized and distributed multi-site implementations. Perfor-

mance and availability can be guaranteed by the use of Network Load Balancing, Database mir-

roring and Scense’s own multi-site support mechanisms.

Scense Database - The Scense database, containing all information and instructions related to applications, user settings, desktop configurations etcetera, is stored on an Oracle or MS SQL database server. Scense agents will contact this database, via the web service, to retrieve in-structions during the clients’ user and computer sessions.

Scense Server - At the heart of the Scense system are the Scense web services. These services are used by the Scense Executive component installed on the clients. The Scense Engine web service communicates tasks received from Scense Executive to the database engine. The Scense web services make full use of IIS’s scalability. Scense will use the communication pro-tocol that best fits the use case in play: http(s), ftp(s) or a WCF communication channel.

Scense File shares - The Scense file shares (App Store and Profile Store) store all the (virtual or physical) application packages that need to be available to end-users as well as multiple histor-ical versions of the Windows profile per user and per application. As soon as an end-user re-quests an application that is not available yet, the application is installed or streamed and started or activated. The user profile for that application is injected during application startup and stored after an application is stopped.

Every client managed by Scense needs the Scense client components. These can be installed

on virtual or physical desktops, on Terminal Servers, on laptops or employee-owned devices

that are not part of the Active Directory. Administrators can use the Scense update manager to

install and update Scense clients in an unattended and reliable way.

Scense Client and Scense Executive - The Scense Client and Scense Executive work together to

execute the Scense instruction on the desktop and give feedback to the user. If the client soft-

ware is unable to retrieve instructions from the Scense database (because the Scense Engine is

not responding) a local database is used, the Local Cache.

Licensing

The Scense Workspace Management Solution is licensed per named user or per device


Smackdown


7.4 APPSENSE

Introduction

Founded in 1999, AppSense is the global leader in “Secure User Environment Management.”

This comprehensive, highly scalable set of solutions enable IT teams to deliver an enhanced

user experience with improved endpoint security across physical, virtual, and cloud based

desktops. With over 3,600 customers worldwide, AppSense has now been deployed to over

9,000,000 endpoints. AppSense revenues exceed $100M and it employs around 400 employ-

ees across the globe. AppSense was recently acquired by LANDESK, who plan to allow

AppSense products to continue to innovate independently and help them gain market share in

user environment management. AppSense operates a channel-based model and works with

both global and regional system integrators and partners to deliver its solutions. AppSense of-

fers a number of services including pre and post sales consultancy packages and operates a

24/7 support desk.

AppSense technologies are commonly sold as the DesktopNow Plus suite. DesktopNow Plus

allows organizations to abstract the management and user elements away from the underlying

platform, OS and application delivery mechanism. This is done to deliver a consistent yet se-

cure productive workspace regardless of how the environment is being delivered. This layer of

abstraction allows AppSense to create something known as “USER DNA.” The user’s DNA con-

sists of both user personal settings and data in addition to policies and configurations placed

on the user by IT. By managing and applying the USER DNA on demand, organizations can im-

prove the user experience provide contextual security to windows endpoints without effecting

productivity, and reduce costs associated with Windows migrations and.

The DesktopNow Plus Suite is made up of the following components which whilst are com-

monly sold together, can be purchased independently to help organizations solve a particular

use case.

Environment Manager

Application Manager

Performance Manager

DataNow

Insight

AppSense believes that user data is a key element of “User DNA”. However, this “UEM Smack-

down” document will only discuss and compare the AppSense DesktopNow suite (Application

Manager, Environment Manager and Performance Manager). In other words, Insight and

DataNow technologies which make up the DesktopNow Plus suite are excluded from this re-

port. For more information on DesktopNow Plus, Insight or DataNow, please visit our website

at www.appsense.com, and also look out for the PQR “Enterprise File Sync and Share Smack-

down” document that discusses DataNow in more detail.

Whilst AppSense agents and configurations can be deployed via any 3rd party tool (such as

SCCM), AppSense also provides the AppSense Management Center at no addition cost to its

http://www.appsense.com/


Smackdown


customers. This is a highly scalable, 3-tier deployment and management platform that allows

both deployment and auditing of DesktopNow.

Many organizations already have multiple ways in which they deliver desktops and applica-

tions to users (Desktop, Datacenter, Cloud). This “hybrid Windows world” means that it is be-

coming more difficult to manage users across these multiple delivery platforms. The user re-

quires an environment tailored and personalized to their needs to be productive. They want

flexibility in what they can do and or change, but also expect their preferences to roam with

them and carry forward onto new platforms. IT needs to lower the cost of managing the mul-

tiple environments, deliver a fast and predictable user experience, and monitor and secure the

environment on behalf of the business.

Delivering a secure yet productive Windows environment has historically been challenging. Ap-

pSense solves this challenge by…

Improving user experience

o Extremely fast logon times

o Complete removal of profile related support calls and profile bloat

o Consistent user experience across multiple platforms

o Consistent user experience during Windows migration

o Ability to carry both user data and personal preferences from one environ-

ment to another.

Securing the endpoint

o Application control and whitelisting without the administrative overhead of

creating lists of known or unknown executables

o Protection against user-introduced and unknown executables

o The ability to implement least privilege management and remove the need to

provide users with local admin rights

o Containerize user sessions by limiting both users and applications to only com-

munication on certain addresses or ports.

Reduction in Capital expenditure

o Audit and control application execution based on user, device and connecting

device to reduce application license costs

o Manage CPU and memory to increase user density which decreases hardware

and associated management costs.

Reduction in Operational Costs

o Reduction in 3rd line profile related support calls

o Consolidate management of policies and management across multiple estates.

o Reduction in both OS image management and application packaging

o Reduction in the cost associated with remediation and break-fix

o Reduced time and cost associated with any Windows migration and /or trans-

formation project

Functionality

AppSense can take any Windows image no matter where it resides and upon machine startup

and/or user logon, dynamically configure, personalize, secure and optimize the environment


Smackdown


specific to the user and their context. This removes the need for logon scripts, Group Policies,

Roaming profiles, whitelisting, admin rights, server isolation, multiple images, multiple applica-

tion packages, offline files, and folder redirection.

Profile Management – the key to desktop personalization

AppSense replaces traditional user profile management with an on-demand personalization

approach delivering a more secure and user friendly workspace. AppSense utilizes a 3-tier ar-

chitecture for synchronizing user application profiles to an endpoint. User application profiles

are stored in a SQL database and synchronized down to end points via an IIS server over

HTTPS. Whilst a SMB share can be used, AppSense recommends this 3-tier approach as it pro-

vides a number of unique benefits. “Multiple Application Delivery Support” and “cross OS

support” means that AppSense does not care how the application is delivered and on what

desktop. User profile information can roam freely from locally installed applications on Win-

dows 7 to a virtualized application on Windows 10 as an example. Roaming of this profile can

be done in session without the need for the user to logoff and logon. AppSense supports both

desktop and server operating systems, varying CPU architectures, and multiple desktop and

application delivery technologies such as XenApp, XenDesktop, VMware Horizon View, RDSH,

App-V, ThinApp, AppVolumes, Unidesk, SCCM and many others. Because profile data is being

stored in SQL, snapshotting, rollback, last known good, and delta sync is possible out of the

box. This allows both user self-service and web based support tools to easily manage user

profile information and remediate where needed. The use of IIS and SQL also provides support

options for mirroring, failover, scalability and DR.

A contextual Rules Engine at the heart of all AppSense technologies means that the User DNA

can be applied on user/user group, but extend to more contextual rules such as IP address,

NetBIOS name, device type, date/time, etc. More recent versions of AppSense have also intro-

duced new rules enabling file checks, registry checks, NetScaler policies, and both Citrix and

VMware conditions. In addition to the rules engine, AppSense also utilizes a number of “trig-

gers”. These triggers allow AppSense to check rules and process actions at other times in addi-

tion to logon and logoff. “Session connect”, “network connect”, “desktop unlock” and “process

start” are just some of these triggers allowing more granular control over when profile man-

agement and configuration takes place. Unlike traditional roaming profiles which are loaded

during logon and logoff, AppSense enables a just-in-time load of application settings instead of

a just-in-case. Unlike a traditional logon script which executes in sequence, AppSense achieves


Smackdown


ultra-fast logons thanks to its multithreaded and optimized agent which can cache and process

configurations in parallel. AppSense also includes “pre”, “during” and “post” logon triggers, al-

lowing admins to control when Windows desktop configuration takes place to further reduce

logon times. DPI settings, for example can be set “pre desktop” but other items can be placed

under the “post logon” trigger to allow tasks to run after the and not impact logon times. An-

other example could utilize the “unlock trigger” to allow printer mappings to be amended

based on location when the user unlocks their desktop.

Endpoint Security – Application control and User Rights Management (Least Privilege)

Regardless of whether you are deploying a VDI image to developers or a physical laptop to a

standard user, local administrative rights continue to cause organizations a challenge when it

comes to providing a secure and productive environment. Windows endpoint security is a ma-

jor focus for many organizations and removing local admin rights from the user based can have

significant benefits when it comes to protecting Windows endpoints. The challenge is that too

many Windows admin tasks (like changing the Date/Time) and applications still require local

admin privileges. AppSense user rights management can elevate tasks and applications as-

needed, allowing organizations to implement a least privilege management practice. In addi-

tion, application control and whitelisting is recommended to secure, control and audit which

applications are being installed and run by users. AppSense utilizes a unique approach called

Trusted Ownership™ Checking which removes the administrative overhead of whitelisting.

Users can run executables which have been delivered by the business and 3rd party application

deployment tools, but are protected against unknown and user-introduced executables. Appli-

cation control also allows authorized applications to be controlled based on context, allowing

AppSense to audit and control per device licensed applications and those applications which

need to be controlled for compliance reasons. (See Gartner report on how AppSense helps

“Ensure Applications Are Properly Licensed on VDI”, Nathan Hill & Stewart Buchanan, March

7th, 2016.) Additional features known as “Self Authorization” and “emergency change control”

also allows users to self-install and self-authorize unknown applications when they are offline

or away from the office.

Lockdown The majority of applications at customer sites are non-Microsoft and do not come

with Administrative Templates (ADM and ADMX) files. It is therefore not possible to block

functionality based on rules. AppSense Environment Manager’s Lockdown technology enables

administrators to strip out unwanted application and Operating System functionality depend-

ing on the user’s context, to reduce the complexity of the end user experience or for security

purposes. For example, it is possible to hide or prevent access to specific application interface

components such as buttons, menus and toolbar items, disable keyboard strokes such as Print

Screen, Copy or Paste and prevent certain text from being entered into edit controls such as

Web browser address bars.

Performance Management Simultaneously reducing capital expenditure associated with user

density and hardware in virtualized environment and improving user experience, AppSense

has patented technology which manages and controls both CPU and Memory. By managing

runaway CPU thread, scheduling CPU processes, optimizing DLL rebasing and trimming

memory, AppSense can prevent CPU lock ups, reduce memory hungry applications and ensure

a consistent quality of service yet increase user density.


Smackdown


Solutions:

Windows Migrations

Endpoint security

Profile Management

Privileged Management

File and Data Sync

Performance Management

User based analytics.

Licensing Options

AppSense User Virtualization software is typically licensed on a named user basis. A license is

required for each managed user regardless of how many devices they use. Concurrent licen-

sing is also available on request.

http://www.appsense.com/solutions/windows-migration-software/

http://www.appsense.com/solutions/pc-desktop-security/

http://www.appsense.com/solutions/pc-user-profile-management/

http://www.appsense.com/solutions/manage-user-administration-rights/

http://www.appsense.com/solutions/desktop-user-data-management/

http://www.appsense.com/solutions/application-performance-server-density-management/

http://www.appsense.com/products/insight/


Smackdown


7.5 CITRIX

Introduction

Citrix’s User Environment Management solution is premised on the following technologies.

Some are Citrix delivered capabilties and others are leveraging the inherent capabilties of

Group Policy with Group Policy Preferences.

Profile Management: Citrix UPM (User Profile Manager); UPM Cross-Platform Settings;

Micrsoft’s UE-V (may be leveraged with UPM instead of Cross-Platform Settings fea-

ture)

Data: ShareFile is the recommended method to manage user data such as documents

across all devices and OS platforms.

User Environment Settings: Microsoft GPP (a component GPO) is a very powerful

method for managing all user environment settings (like printers, home drives,

shortcuts etc). It is inherent within AD at no additional cost and includes item level

targeting (and other methods) to highly customize and focus user environment set-

tings.

Apps Control/Licensing: XenApp with features like App Limits; Microsoft AppLocker

adds an additional layer of app control and is also built into AD.

Monitor, Audit, Report

o UPM Log Parser, Troubleshooter and a PowerSehll based UPM best practice

validation tool

o Citrix Director logon and profile related statistics

Profile Management (Citrix UPM)

Citrix Profile management is intended as a user profile solution for XenApp, XenDesktop, and

physical desktops. Profile management ensures that the user’s Windows’s profile is roamed

effectively and reliably across all the user’s sessions and connections.

Profile management is enabled through a profile optimization service that provides an easy,

reliable way for managing these settings in Windows environments to ensure a consistent ex-

perience by maintaining a profile that follows the user. It auto-consolidates and optimizes user

profiles to minimize management and storage requirements and requires minimal administra-

tion, support and infrastructure, while providing users with improved logon and logout.

The most common challenges that impact the user experience and that administrators have to

address when managing user profiles are:

Last writer wins – When users work on more than one physical or virtual device, their

individual personal settings may be overwritten in a seemingly random manner when

they log off.

Profile bloat and logon speed – Profile bloat creates unwieldy growth in user profiles

and resulting storage and management issues. Typically during logon Windows copies

the user’s roaming profile over the network down to the local machine. Logon time is


Smackdown


prolonged by the time it takes to transfer the whole profile over the network. The

larger the profiles are and the more files they contain the slower the logons will be

Benefits

Citrix Profile Management provides fast logons, the most control over profile settings and ad-

dresses the last-write wins issues all from a central management point (GPOs).

Citrix Profile Management provides more flexibility as of what needs to be included or ex-

cluded from a user profile. With Profile Management one can configure which registry keys in

the HKCU hive needs to be ignored or included during logoff. Also files and directories can be

configured so that they are exclude from a user profile.

Profile Management addresses the last-write-wins issue. No longer is the complete user profile

copied at logoff. Environments where users work within multiple sessions, i.e. one remote ses-

sion and a local session, are always faced with the default Windows profile handling procedure

where the user profile from the last session overrides all the other session user profiles.

Profile Management also provides a streaming functionality. With profile streaming, users’

profiles are synchronized on the local computer only when they are needed. Registry entries

are cached immediately, but files and folders are only cached when accessed by users or appli-

cations.

Features

Profile streaming. Profile streaming completely negates the impact of the user’s pro-

file size and its impact to logon and logoff. When profile streaming is leveraged, the

profile load time for a profile whether it’s 100 MB or even 500 MB may remain in the

6-7 seconds load range. The profile data is then only copied down on demand when

it’s actually needed or requested by a user action or application acitivity.

Active write back. With Active Write Back, setitngs are written back to the user store

as they occur instead of ewaiting for a logoff event to synchronize all the setitngs back.

This both improves the reliability of capturing changed settings during a session but

also prevents loss should a logoff event never occur.

Profile migration allows you to migrate profiles to and from physical computers and

virtual ones. Depending on the configuration settings, Profile management can copy

existing roaming profiles and local Windows profiles to the user store. Existing manda-

tory profiles can be used as the basis for Citrix user profiles when saved as a template.

Wildcard support. Allows the use of wildcard characters in file names for synchroniza-

tion, inclusion, and exclusion lists.

Logging. All entries in log files are identified with the user name, domain, and session

id (where identifiable).

Consistent user settings. Solves the "last-write-wins" problem that occurs when the

last open session overwrites all of the profile data from previously closed sessions.

Easy integration. Profile management can be integrated easily into existing deploy-

ments. No new infrastructure or changes to logon and logoff scripts are required.


Smackdown


Active Directory-managed licensing. You can manage user entitlement using an Active

Directory user group.

Improved monitoring and reporting. Additional Performance Monitor counters and Cit-

rix Director/EdgeSight integrations allow you to measure several new aspects of logon

and logoff, providing improved benchmarking.

Licensing

Citrix Profile Manager is a feature of XenApp and XenDesktop (All Editions). Citrix licenses us-

ers are extended rights for UPM usage to the user's physical devices e.g. you have 1,000 Xe-

nApp Enterprise users - these users may install UPM on their Windows device(s) to also man-

age their profiles on those respective devices. There is no separate licensing options for UPM,

only as a feature of XenApp and XenDesktop.

Architecture

You install the Profile Management agent on each computer whose profiles you want to man-

age. The installation is straight forward and available for x86 and x64 operating systems. All

currently available operating systems are supported.

The Profile Management runs as a service and can be configured using ini-files and/or centrally

with the use of Microsoft Group Policy Object’s (GPO). ADM and ADMX templates are pro-

vided.

Citrix Profile Management intercepts the default Windows user profile handling process. As

soon as a Windows profile process starts, the Profile Management service kicks in and takes

care of the necessary actions based on the GPO settings and INI settings.


Smackdown


As with a Windows roaming profile a central location is needed to store the profile. This cen-

tral location is called the User Store. Every user should have access to the user store, a net-

work folder where profiles are stored centrally. Alternatively, profiles can be stored in users'

home drive if preferred

Figure 5: Citrix Profile Management overview


Smackdown


7.6 DELL WYSE VWORKSPACE

Introduction

Dell Wyse vWorkspace is the result of an acquisition in 2007 by Quest of a company called Pro-

vision Networks. In 2012 Dell bought quest and was then transitioned into the Dell Software

Group Founded in 2004, Provision Networks aimed to reduce the adoption barriers of virtual

desktop deployment and application delivery, through cutting-edge technologies that address

the end-to-end requirements of global deployments. Dell Wyse vWorkspace delivers virtual

applications and desktops from multiple hypervisors, Remote Desktop Services and blade PCs

through a single user access point and management center.

Benefits

Dell vWorkspace isn’t focused on User Environment Management but it has a small set

of capabilities in place without any additional charge. This is called the “MetaProfiles”

feature and it will capture settings at logoff and recreates them at logon. Benefits.

The customer doesn’t always need an UEM solution in addition to their desktop virtu-

alization product when they use vWorkspace and that saved money while improve

user management.

Manage user environment settings (drive mappings, printers, registry keys) without

login scripts.

Dynamically build the start menu.

Location based printing.

Includes Wyse Streaming manager which can be user for OS streaming capabilities and

doing application layering

Functionality

Dell vWorkspace offers control of the usual user environment settings (drive mapping, print-

ers, registry keys, screensavers, security policies, etc…) and also some persistence of user pro-

file changes between sessions in our MetaProfiles feature. All of these settings can be targeted

based on client name, IP, user name or group or OU. The settings can be applied to Terminal

Servers/Session Hosts or VDI.

This will allow to deploy a dynamically-generated and configured Windows desktop across

multiple virtualization technologies for a blended delivery, allowing lower costs, more control

and security, and management of the level of personalization possible by the user.

Architecture

The connection broker is called the vWorkspace Connection Broker. Other components are a

vWorkspace configuration database, vWorkspace web interface and vWorkspace Secure gate-

way server. The protocol that is used to connect to the desktop is the regular RDP protocol. For

a better (graphics) performance over WAN the EOP protocol (Experience Optimized Protocol)

can be used, which can be leveraged over RemoteFX or an HTML 5 connector can be used.


Smackdown


Foglight for VDI is also included which can run as a separate service on top of vWorkspce but

has a built-in connector for vWorkspace which allows for end-to-end monitoring directly from

vWorkspace console.

vWorkspaceConnection Broker(s)

vWorkspace Secure Access

RD License Server

vWorkspace Web AccessHTTP or HTTPS

Internet

LDAP

XML

Active Directory (one or more, trusts not required)

vWorkspaceConfigurationDatabase

Re

mo

teFX

+ E

OP

&

XM

L ove

r SSL

Extern

al

XM

L 80

80

RDP – 3389 – InternalFrom Secure Gateway to VDI & RD Session Hosts

vWorkspaceUniversalPrint Server

RDP over SSL

RPC

vWorkspaceUniversal Print Relay

Wide Area Network

EMF CompressedPrint Jobs

Broker <-> Data Collector

Provided by Dell

There is also Streaming manager which is part of the vWorkspace bundle, but requires another

service which allows for network streaming using PXE of operating system and of application

layers, which are added during logon.

Licensing

The UEM features are not sold separately but only available as part of Dell vWorkspace. Dell

vWorkspace is available in 2 types of licenses: The Desktop Services Edition and Premier Edi-

tion. Both are available as concurrent and device based licenses and include Foglight for virtual

desktops.


Smackdown


7.7 FSLOGIX:

Introduction

FSLogix addresses problems that have prevented wide scale adoption of the enterprise vir-

tual workspace, simplifying administration and providing the best user experience for maxi-

mum productivity.

FSLogix Profile Containers has the industry's fastest logon time, and allows applications like

MS Outlook and Windows Search to run at near native speeds (finally!). It eliminates the lo-

gon storm impact of folder redirection and significantly reduces load on network and server

resources. Profile Containers enable large file access and true Cached Exchange Mode for Of-

fice 365 and other hosted email products.

FSLogix Apps dynamically provides per user application visibility. Applications run at native

speed. No need for sequencing and repackaging.

Solution

FSlogix Apps is a solution designed to enable IT Administrators to manage the emerging enter-

prise workspace, reducing the amount of hardware, time and labor required to support physi-

cal, virtual, and cloud desktops. FSLogix has developed a technique called Image Masking to

create a single Unified Base Image that hides everything a logged in user shouldn’t see, provid-

ing predictable and real-time access to applications and other workspace components like

fonts, browser plugins, application add-ons, etc. This approach uses advanced file system filter-

ing which extends from the base image out to VHDs and other critical infrastructure areas.

Image masking functions identically across a wide range of Windows-based platforms, simplify-

ing the path from traditional to virtual environments, with a single, unified approach to image

management, profile access, and application delivery. Installed as a software agent, FSLogix

Apps seamlessly integrates with Windows centric desktop virtualization solutions from Mi-

crosoft, Citrix, VMware, and other industry leaders.

FSLogix has targeted the following three solution areas to address with its FSLogix Apps solu-

tion:

1. Gold image consolidation: With FSLogix’s Unified Base Image technology, enterprises

can combine all applications, plus browser and app plugins, onto a single gold image,

or greatly reduce their current number of images. Based on the image masking tech-

nique, users see only the applications, plugins and other components that they are li-

censed and authorized to see, simplifying application delivery across physical and vir-

tualized Windows infrastructures. Every application, extension, font, etc., installed in

the Unified Base Image is available in real time to users authorized to access them.

2. User profile delivery (access, virtualization, management?): Profile Containers are lo-

cal or remote volumes, which eliminate the need for folder redirection or Roaming

Profile optimization, allowing users to have a consistent, familiar, workspace experi-

ence with no limitations on the size of the profile or the size of any individual files. This


Smackdown


approach solves the problem of large files, and OST.’s in VDI and RDSH. Users and

businesses increase productivity by having access to their unique work environment

on any device. Unlike other products, FSLogix provides this solution without the over-

head of remote servers and additional configuration databases.

FSLogix Profile Containers:

Sub 15-second logons across all environments and locations

Office 365 and internally managed email perform as good as natively installed

Elimination of logon storms and recovery of critical server and network infrastructure

3. Slow logon and application launch times are one of the top complaints in virtual desk-

tops. Profile Containers are a new architectural approach to address this problem. In-

stead of placing all of the user’s files on a network share like in the redirected files ap-

proach, FSLogix encapsulates the entire profile –including the registry– in an in-guest

container. This advanced filtering approach removes the maximum amount of re-

source utilization from processing user profile data and eliminates the need for legacy

profile products and folder redirection. User profile performance is indistinguishable

to local, yet administrators receive the benefits of centralized profiles, including easy

off loading for data retention and compliance, with little or no ongoing administration.

Just-in-Time application delivery: FSLogix supports an unlimited number of Application

Containers for situations where combining all applications into a single image is not practi-

cal, for licensing or technical reasons. Application Containers may be either local or remote

volume libraries. Combining Application Containers with Unified Base Image technology

provides the flexibility to IT to use the optimal design approach for their unique require-

ments

When using Apps it is not necessary to sequence or package applications. All applications are

installed natively using the application’s .msi install. From there, FSLogix Apps takes advantage

of Active Directory to control the visibility of when any application is visible to individual users

or groups.


Smackdown


Installed as a software agent, Apps has key advantages over traditional application virtual-

ization solutions:

Native application performance. Since applications run natively, performance is not

impacted.

Supports all Windows applications. Platforms can be traditional or virtual desktops.

No need to sequence or package applications. Since applications run natively, there is

no need to sequence or package. Consequently, all applications, including applications

with device drivers, are supported (e.g. iTunes, Adobe Acrobat, Citrix and View clients).

Compatible with existing application virtualization solutions. Complements existing so-

lutions especially for applications that cannot be virtualized.

Citrix XenApp/RDSH silo consolidation. A single image can contain all virtualized and

remote applications for all users, eliminating the need for silos.

Multiple application versions in the same image. Application versions reside in the im-

age and are assigned to individual users.

Time-to-deploy significantly reduced. Since no packaging is required, FSLogix Apps can

be installed onto existing servers and systems for quick deployment.

Simplified image management. A single image can contain all versions of all applica-

tions for all users.

Easy license management. Applications can be revealed or removed in accordance

with license requirements.

Compatible with application management systems. Can be used with solutions from a

variety of vendors, including Altiris Client Management Suite or Microsoft System Cen-

ter.


Smackdown


Licensing

The solution areas addressed by FSLogix Apps are sold as a single product, used for:

Real-time profile access

Java conflict resolution

Simplified version control

Instant application roll-back

Silo elimination

License compliance & optimization

Management of printer visibility

Ability to hide critical data files

FSLogix provides a fully functional trial version, which can be requested here.

7.8 LIQUIDWARE LABS

Introduction

Liquidware Labs ProfileUnity provides sophisticated User Environment Management with ad-

vanced features that lead the industry. The company separately innovated FlexApp, a unique

and robust application layering technology with a very high application compatibility rate – to

date higher than other similar offerings on the market. While the two products can be li-

censed separately, Liquidware Labs is the only independent vendor to provide this unique

combination of solutions from a single management console if desired.


ProfileUnity has been on the market since 2005, therefore the product’s User Environment

Management features are mature and comprehensive. Liquidware Labs acquired the solution

and development team in 2009 and added significant development resources – focusing on

new features, ease-of-use and innovation in the area of Application Rights Management and

Application Delivery though User Environment Management.

Today, ProfileUnity provides great value to organizations who are looking to replace roaming

profiles and folder redirection or basic profile management tools. Not only does ProfileUnity

address these needs with precision, the solution go beyond much of the competition, offering

many advanced features that are not found in competing products. In some cases features

that are built in to ProfileUnity are sold separately by competitors as additional add-on compo-

nents. Below are the four core areas covered by ProfileUnity’s User Environment Management

features:

Advanced Profile Management - ProfileUnity supports multiple versions of Microsoft

Operating Systems therefore customers can leverage ProfileUnity to on-board physical

desktop users to any new Windows desktop including virtual and server hosted desk-

tops. Subsequent to moving to ProfileUnity the first time, profiles never have to be

“migrated” as a ProfileUnity-managed profile can be made compatible across OS versi-

ons. Data outside of the profile in locations such as the HKLM area of the system regi-

http://info.fslogix.com/request-an-evaluation


Smackdown


stry and files anywhere within the system, can be made portable with ProfileUnity. Ex-

clusive ProfileUnity Profile Disk technology can be leveraged for superior performance

with large profiles and files including .PST and OST files.

Advanced Policy Management – ProfileUnity can be leveraged to go beyond the limits

of Microsoft Group Policies. ProfileUnity is much faster than similar Microsoft Group

Policy actions mainly because the solution’s Active Directory (AD) lookups are far more

efficient. ProfileUnity policies are also well documented which is useful when there is a

change of desktop administrators or audit. Any profile or policy attribute can be assig-

ned on a “Context-Aware” basis, including Microsoft AD attributes or on virtually any

type of criteria including virtual client name/client address, or location. It is very im-

portant to note that ProfileUnity runs “as Admin” privileges and can therefore be used

to secure (or lockdown) desktops or change machine level policy settings. Some UEM

solutions do not “run as Admin” and so, are very limited in their policy management.

Application Rights Management – While some UEM vendors charge separately for Ap-

plication Rights Management, ProfileUnity includes these features as standard. Appli-

cation Rights Management features enable administrators to manage application privi-

leges or restrict applications (white list or blacklist) from running by using one or more

context-aware settings. These features enable you to keep your desktops and network

secure by limiting and elevating user rights per application and process. This allows

you to keep your users as Standard Users and only elevate them to local Administrator

when needed to perform a specific task/application.

Advanced User Data Management – ProfileUnity includes robust folder redirection

options that will not only redirect key folders for best practices, like My Document and

the Desktop, but can also migrate user authored data in the background. This feature

is particularly helpful when on-boarding users from legacy physical desktops to new

physical or virtual desktops.

Architecture

Straight-forward, yet Highly Scalable Architecture

ProfileUnity was designed by Desktop Administrators for Desktop Administrators. Since the be-

ginning, the Liquidware Labs development team has always made it a priority to keep the pro-

duct architecture straight-forward, easy to scale to tens of thousands, and highly available.

There are no SQL clusters or other servers needed in the architecture therefore there are no

hidden costs and no challenges when you scale to hundreds or thousands of users. For this

reason, ProfileUnity is also very easy and quick to install and configure. A proof of concept is

possible in under one hour.

ProfileUnity’s architecture leverages existing network and Windows® infrastructure. The main

agent is very lightweight (apx. 6mb) it can be cached down at logon to users’ desktops through

an included Microsoft® Group Policy template. It can also be easily included in the base image

of your desktops. Regardless, the agent files, configuration and related services are hosted on

a network file share that is already highly available, scaled, and features read-only access for


Smackdown


users. Because of these requirements, the best location for this file share is the Netlogon share

on your domain controllers. The Netlogon location is not a hard requirement, an alternative

file share path can be used.

User Profiles are stored in the user’s standard replicated network file share location such as

their “home drive.” Even if FlexApp application layering features are leveraged, virtual disks

are also hosted on replicated storage paths. With this straightforward architecture, even if the

ProfileUnity Management Console goes offline, ProfileUnity will continue to run on users’

desktops. If VMDK layers are chosen the architecture remains straightforward but the ProfileU-

nity Management console will be replicated to standard Windows Servers to ensure high-avai-

lability.

Application Layering

Liquidware Labs FlexApp Application Layering is an advanced technology, tightly integrated

within the ProfileUnity User Environment Management platform. It is a fully integrated solu-

tion that leverages profile settings and policies but can also be implemented as a stand-alone

solution. FlexApp enables Administrators to assign department-level applications to groups of

users, and to, optionally, empower selected users to install their own applications. FlexApp

complements application virtualization solutions that use isolation, such as Microsoft App-V

and VMware ThinApp. FlexApp application layering is also compatible with many desktop vir-

tualization platforms, including Citrix XenApp/XenDesktop and VMware Horizon View. These

environments can be kept ultra-secure, by leveraging ProfileUnity's Application Rights Ma-

nagement features, which eliminates the need to make users full "Local Admins" in order to

run or install applications. FlexApp technology supports Application Strategy design, Applica-

tion Delivery approaches and Application Lifecycle Management.

Delivering applications as layers requires a robust management and often times User Environ-

ment Management is very closely related. Because Liquidware Labs has integrating Application

Layering with User Environment Management, the two solutions solves many needs in the

area of Application Delivery including:


Smackdown


Robust User Profile Availability – ProfileUnity makes a complete user profile available

including the persona settings of virtualized and layered applications.

Delivery of layered applications by user environment settings, including assignment

per Active Directory Group, user, or one of over 300 combinations of context aware

settings included with ProfileUnity.

Application Restrictions – often applications may need to be layered to a shared envi-

ronment such as an RDSH server. Application Rights Management in ProfileUnity al-

lows for applications to be restricted by a context-aware setting and/or Active Direc-

tory criteria.

Privilege Elevation – often applications may require local Administrator rights. Profi-

leUnity includes secure privilege elevation of select applications per user, group, or

other context-aware setting.

Registry modifications – often applications may need registry settings to be changed

to function as desired. For example, run once dialog boxes may need to be repressed.

ProfileUnity can merge, exclude, or replace registry keys to enhance the seamlessness

of application delivery.

Exclusive Features and Benefits of ProfileUnity Compared to other UEM solutions

There are many reasons to choose ProfileUnity for your User Environment Management

needs. Many Fortune 500 as well as industry-leading organizations have chosen the solution

for one or more of the following compelling reasons:

Fast user logins

Robust and complete User Environment Management

Straight-forward and highly –scalable architecture with no hidden costs

Ease-of-use – short learning curve with no need to hire dedicated staff

Proof-of-concept can be completed in under an hour

INCLUDED Application Rights Management features

License cost that is often half the price of competitors

FlexApp Application Layering that leads the industry (optional licensing)

Highly-available and highly resilient design

Liquidware Labs Essentials Suite

Liquidware Labs provides comprehensive User Environment Management, Application Laye-

ring and User Experience Monitoring in one convenient and extremely affordable suite known

as Essentials, which includes ProfileUnity with FlexApp, Stratusphere UX, and Flex-IO.

Thousands of customers have discovered that the following solutions are necessary to launch,

scale and optimize next-generation desktops:

User Environment Management with ProfileUnity One user profile across VDI, RDSH, DAAS & physical devices

Up to 10X faster logons vs. roaming profiles or basic profile tools

Application and User Right Management features

Location/context-aware policy and profile capabilities

http://www.liquidwarelabs.com/products/profileunity


Smackdown


Automated migration to Windows 7/8.x and Server 2008/2012r2

Application Layering with FlexApp Reduce the number of master desktop images to manage Deliver applications on demand

Gain persistent user experience with non-persistent infrastructure

Provision application volumes as VHD or VMDK

Gain full compatibility with Citrix Provisioning Services and Machine Creation Services

Visibility with Stratusphere UX - User-Experience Monitoring Diagnose true root cause and identify resource constraints Optimize resource utilization and performance

Grow and scale virtual desktop environments with confidence

IOPS Acceleration – Flex-IO Boost resources for an apx. 25,000 additional IOPS per virtual host Reduce latency by as much as 75% Compatible with persistent and non-persistent VDI environments

A Flex-IO server license is provided upon request per Liquidware Labs customer

Licensing and Contact Information

ProfileUnity with FlexApp is available for $59 per named user. The Liquidware Labs Essentials

Suite is available for $79 per named user. Concurrent licensing is available for Education and

Healthcare customers. Other pricing configurations are available. Pricing subject to change at

any time and may be regional.

Liquidware Labs products are Citrix Ready, VMware-certified, and are available through a glo-

bal network of partners. Visit www.LiquidwareLabs.com to learn more or download trial soft-

ware. Contact [email protected] for more information.

http://www.liquidwarelabs.com/products/profileunity-flexapp

http://www.liquidwarelabs.com/products/stratusphere-ux

http://www.liquidwarelabs.com/



Smackdown


7.9 NORSKALE

Introduction

Norskale believes that user experience, simplicity, and cost savings are the most im-

portant factors when choosing a workspace management platform. Norskale is an easy-

to-use, 100% software solution that cuts the cost of desktops and applications, and de-

livers the best possible workspace performance—best application response times, ac-

celerated logons, and a truly dynamic desktop—for any IT environment.

The Norskale solution and its benefits have been proven in large and small environ-

ments alike, including in an 80K seat environment that reached peak performance and

simplicity of management after less than a week in production. 56% of users say that

application reactivity and instant login are the main benefit of a new desktop. Norskale

ensure a constant high level of performance on any Windows device throughout the life

of the device.

Norskale delivers the functionality users need in only a few days, and offers a variety of

licensing options for optimal flexibility and value. Norskale provides the best and most

consistent user and end-user experience, while ensuring the lowest installation and

management costs for all physical and virtual desktops and applications.

Benefits

10-second logon and response times for all physical and virtual desktops and ap-

plications.

Consistently fast application reactivity through constant CPU and RAM optimiza-

tion.

Optimized CPU and RAM utilization reduces each end-user’s footprint, and on

the whole, a minimum of 20-25% more users can be accommodated per server.

Intuitive central console for all user environment management. Because man-

agement is simple, administrators are fully trained in a single day, no matter their

level of technical expertise.

Scripts/GPO/GPPrefs can be eliminated in a few clicks.

Brings full context awareness to all elements of the workspace, and provides all

end-users with the custom resources and access they need.

Optimizes and simplifies management of Citrix User Profile Management (UPM)

and Microsoft Roaming Profiles (USV).

Proprietary self-services and self-healing for end-user workspaces reduce sup-

port calls by up to $200 per user annually.

Fully installed and configured in just a few days, even in the most complex envi-

ronments.

Granular and completely delegated admin console.


Smackdown


Fast, easy, and complete reversibility; no uninstall impact or vendor lock-in.

Functionality

User Profile Management By replacing logon scripts and desktop lockdown Group

Policy Objects (GPO), Norskale simplifies the job of the IT team by removing com-

plexity from any new or existing implementation. The settings are intuitively de-

signed for easy learning and are accessible through the central console.

Norskale optimizes and centrally manages both Microsoft Roaming Profiles and Citrix

User Profile Management (UPM) profiles. Both technologies are the de facto standard

on SBC and “fat” environments. Norskale ensures profile integrity, while making sure

that sizes and speed are always best in class, and in the process, greatly reduces the

cost of high-end storage typically associated with profiles.

User Personalization Scripts, GPO, and GPPrefs are messy and often result in slow

desktop logon times. Norskale quickly eliminates these factors that cause complexity,

and automates workspace management through a simple, intuitive console. Because

Norskale is easy to manage and maintain with limited training required, there is no

need to rely on a limited number of experts. The flexible Actions engine allows users to

easily define every action needed to replace even the most complex login script, while

ensuring top-notch performance.

Application Access Control Norskale keeps the IT environment agile, and quickly iden-

tifies each end-user device type, and dynamically adjusts the workspace for optimal ef-

ficiency and security. In addition, by using dynamically configured software restriction

policies through Whitelist and Blacklist, Norskale protects the system as a whole.

Norskale Transformer (patent-pending) further reduces project rollout times and de-

ployment costs, by instantly converting a connected Windows terminal into virtual ma-

chine clients. This add-on module transforms the PC into a customizable and user-

friendly kiosk interface, where end-users launch their virtual or hosted desktops and

applications, and locally installed applications seamlessly, while the underlying Win-

dows operating system remains fully locked down and secure.

Resource Management By using innovative algorithms that change the way appli-

cations consume system resources, patent-pending Norskale technology extends

the life of hardware, and delivers desktops and applications that are significantly

faster and more cost-effective.


Smackdown


Norskale optimizes the way applications consume RAM, CPU, and Input/Output

(I/O), reducing hardware requirements—including during application migration—

by up to 70%. Virtual server sizing is based on average usage—not peak usage, de-

livering a better ROI and extending hardware life for a lower TCO. The non-intrusive

Norskale technology monitors and analyzes user behavior in real time, optimizing

the resource allocation process and the way applications run, to ensure that all us-

ers have the required amount of resources. In addition, Memory Management

functionality analyzes and optimizes idle applications and processes, dynamically

forcing them to release any extra memory they are not using.

Norskale optimizes RAM, CPU, and Input/Output (I/O) in any pure or hybrid desktop

environment, including physical and virtual desktops, and published desktops and ap-

plications. The results are fast application response times, and up to 70% more users

per server.

Application Delivery Norskale supports local and virtual applications, including Citrix

XenApp, and Microsoft RDS and App-V. All application and resource types are deliv-

ered and controlled according to end-user context. Further, the Manage Applications

feature allows end-users to access their context-available resources and self-create

shortcuts in desired locations.

Monitor, Audit and Report Through the Modeling Wizard and the Resultant Actions

Viewer, administrators are able to view assigned actions applied to specific users, and

data is provided to understand them; for example, the reason certain actions were dis-

carded during an assignment process.

Norskale also includes useful issue-tracking functionality with helpdesk features that

save time and reduce support calls. For example, if an administrator needs to report an

issue, he can instantly send screenshots and a detailed automated email report that

includes data about the current environment to his Support Team.

Architecture

The Norskale architecture is highly scalable and resilient, allowing administrators

to centrally manage large environments (80K+ users) without added complexity or

high infrastructure costs. This non-intrusive and compatible technology ensures a

smooth deployment in new and existing IT environments. It can be deployed within

a few hours and managed on a daily basis, without the need for extensive training.


Smackdown


Norskale is committed to streamlining product development on an ongoing basis to

maintain minimum infrastructure requirements. All major client and server operating

systems are supported, including native 64-bit support on all platforms (no emulation).

A Low Footprint Agent is deployed in each user workspace to minimize network usage

without impacting performance. The server itself is extremely compact and can with-

stand a very large user base within a single VM. Norskale natively supports mirroring

and clustering on the SQL Server side, and the Broker and Workspace Agents are

equipped with full offline capabilities.

Licensing

Norskale is licensed on a per-named-user basis. This license is perpetual. The mainte-

nance contract includes support, and major and minor release access. Site licenses,

rentals, and other licensing options are also available, so that each customer can bene-

fit from a licensing model that meets their workspace and budget requirements.


Smackdown


7.10 POLICYPAK SOFTWARE

Introduction

PolicyPak delivers, enforces, locks down and remediates application, browser and operating

system settings. For brevity, we will describe only the following three components:

PolicyPak Application Settings Manager

PolicyPak Browser Router and

PolicyPak Admin Templates Manager

There are two editions of PolicyPak:

PolicyPak On-Premise Edition: for domain joined machines which are managed by

Group Policy, SCCM or any on-premise management system.

PolicyPak Cloud Edition: for domain joined or non-domain joined machines.

PolicyPak Cloud edition has the special ability to deliver all real Microsoft Group Policy settings

using the Internet (Video demo.) You can see where PolicyPak On-Premise and/or PolicyPak

Cloud might be used in your company in the Figure below.

Figure 6: PolicyPak has two suites which can be used separately or together

All directives are created and edited in the familiar Group Policy environment. Computers

and/or Users can be managed.

http://www.policypak.com/video/policypak-cloud-deploy-group-policy-admin-template-settings-over-the-internet.html


Smackdown


Figure 2: PolicyPak directives are created, edited and (optionally) exported using the Group Policy editor

interface

All items can then be delivered using Group Policy, or optionally exported and delivered using

SCCM (or any other on-premise delivery tool), or uploaded and delivered to PolicyPak Cloud.

Quite simply: IT administrators don’t need to add any additional infrastructure or learn any-

thing new. If they use Group Policy, SCCM or another on-premise delivery tool, then IT admins

already know how to use PolicyPak and have everything they need in order to implement im-

mediately.

PolicyPak’s settings are simply delivered and enforced when a user roams to a new machine,

uses a Terminal Server or Citrix machine or starts up a VDI machine. PolicyPak also works with

virtualized applications (Microsoft App-V 4.6 or 5.0, VMware ThinApp 4 or 5, Symantec Work-

space Virtualization, and others).

All PolicyPak components and settings are “Context Aware” with the same “Item Level Target-

ing” editor that the Group Policy Preferences uses. This enables administrators to specify con-

ditions as to when PolicyPak directives should apply to users or computers. The UI is exactly

like Group Policy Preferences and requires no training for existing Group Policy administrators.

(Video link to PolicyPak and Item Level Targeting).

Note additionally that these Item-Level Targeting filters are active and available when Poli-

cyPak directives are deployed via Group Policy, or when using your own systems management

utility like SCCM, or when using PolicyPak cloud.

For details on the other components in the suite, check out the PolicyPak Website, Poli-

cyPak.com.

PolicyPak Application Settings Manager

PolicyPak can deliver and enforce settings for just about any application that stores their set-

tings in the Registry, INI files, XML files, JS files, or any other formats (that Microsoft’s built-in

Group Policy, Group Policy Preferences and ADM/ADMX templates simply cannot manage.)

http://www.policypak.com/video/policypak-using-item-level-targeting.html




Smackdown


PolicyPak has pre-configured Paks to configure common applications like Firefox, Flash Player,

Java JRE, Internet Explorer, Google Chrome, Acrobat Reader, Acrobat Pro, Skype for Business

Client, AutoCad, Shockwave and over four hundred more.

PolicyPak has special enhanced coverage for Firefox, Java, and Internet Explorer to manage

nearly all aspects of these applications including deploying certificates, managing bookmarks,

and preventing add-ons.

Figure 3: PolicyPak Application Manager, some pre-defined Paks, and user interface

PolicyPak Application Settings Manager also comes with the PolicyPak Design Studio which en-

ables admins to quickly create their own Paks and manage their own in-house applications.

(Video demo.)

PolicyPak’s AppLock™ feature can gray out or hide many applications’ user interface settings as

well as perform lockout on applications’ entire tabs. This prevents users from working around

its recommended application settings within the UI.

PolicyPak’s ACL Lockdown™ feature takes ownership of the Registry and/or file-system pieces

from the user and application. In this way, settings are strictly guaranteed and cannot be

worked around.

PolicyPak keeps IT settings enforced even when the user is completely offline and discon-

nected from the network. See how PolicyPak Application Settings Manager can manage Inter-

net Explorer, Firefox, Chrome, Java, and 400+ more applications (website with video demos.)

PolicyPak Browser Router

PolicyPak Browser Router manages your modern multiple-browser environment.

http://www.policypak.com/support-sharing/policypak-designstudio-how-to.html

http://www.policypak.com/products/policypak-application-manager-including-policypak-designstudio.html


Smackdown


Now you can automatically ensure that users launch the right browser for the right website.

The result is that websites load in for the most compatible and secure browser as dictated by

the IT team.

Guide specific websites or website patterns to open in Internet Explorer, Firefox, Google

Chrome or Edge (forthcoming) as well as Custom browsers for use with App-V or ThinApp for

specific websites or patterns. Users never have to think; you’ve done all the thinking for them.

Figure 4: PolicyPak Browser Router will open the right browser for the right website

Creating a rule is point-and-click easy within the Group Policy editor to make a “route” be-

tween a website (or pattern) and the browser you want to open. Your rules are created and

contained within the GPO. Additionally for Internet Explorer, you can dynamically set Compati-

bility and Enterprise modes like what is seen here.


Smackdown


Figure 5: PolicyPak Browser Router User Interface within Group Policy

PolicyPak Admin Templates Manager

PolicyPak Admin Templates Manager enables you to consolidate Group Policy settings from

many GPOs into only a few GPOs.

So instead of having many, many GPOs, you can consolidate your GPOs and target which policy

settings will occur under what specific conditions (Video Demo).

http://www.policypak.com/video/policypak-admin-templates-collections-and-item-level-targeting.html


Smackdown


Figure 6: PolicyPak Admin Templates Manager enables Collections of real ADMX and ADM Group Policy settings

As a bonus, once policies are in a collection, Group Policy settings can be exported as XML files

and be optionally:

delivered using SCCM or other on-premise management tool (Video Demo) or

delivered using PolicyPak Cloud (Video Demo).

Licensing

There are multiple components in the PolicyPak suites, and all components are included to

customers in good standing.

PolicyPak On-Premise is licensed per active (non-disabled) computer account in Active Direc-

tory plus any concurrent connections to Terminal Services or XenApp. PolicyPak on-premise

can be licensed per OU, multiple OUs (parent-child, or unrelated OUs), or for an entire domain.

PolicyPak Cloud is licensed in 100-license blocks. Licenses are consumed from a “pool” of li-

censed. Any desktop or laptop can consume a license.

More about licensing PolicyPak can be found here.

http://www.policypak.com/video/deploying-group-policy-admin-templates-using-sccm-intune-or-your-own-systems-management-software.html

http://www.policypak.com/video/policypak-cloud-deploy-group-policy-admin-template-settings-over-the-internet.html

http://www.policypak.com/purchasing/how-to-buy-licensing.html


Smackdown


7.11 RES

Introduction

RES was founded in 1999 by Bob Janssen while he was looking for a way to

simplify the management of several users on a Microsoft Terminal Server.

Today, RES is a leader in digital workspace technology, empowering IT to

make digital workspaces secure, automated and people-centric for easy

adoption and use.

RES ONE Workspace allows IT to centrally manage and secure apps and services for the work-

force across the most complex environments, including physical, virtual and cloud based solu-

tions. RES ONE Workspace offers today’s digital workforce a better, more personal technology

experience, while giving IT the control to increase security and reduce costs. Configuration and

management are centralized, so IT can build workspaces that roam across devices, operating

systems, delivery platforms and more. RES ONE Workspace can be combined with RES ONE

Automation and RES ONE Service Store in the RES ONE Suite to fully empower the workforce

through self-service and automated delivery and return of the right apps and services to each

person’s secure digital workspace.

Architecture

Figure 7: RES ONE Workspace Architecture

The RES ONE Workspace architecture is simple and capable of managing many network topol-

ogies, scalable and easy to install and maintain. None of the components require dedicated

hardware.


Smackdown


RES ONE Workspace Console:

The RES ONE Workspace Console is the administration center of your workspace environ-

ment(s) and installed on a Windows-based platform. The management console is used to cre-

ate the list of all possible desktop items that need to be composed and secured in a user work-

space. The management console is intuitive by offering a workspace designer which helps you

setup the environment. Workspace simulation lets you find out which configuration items are

used to build a specific user workspace and offers a way to simulate the behavior of changes.

In the management console, you can create role-based access to the console, and itis the main

interface for the IT professional.

RES ONE Workspace Datastore:

The Datastore is the central database for your RES ONE Workspace environment. All comput-

ers in a RES ONE Workspace environment connect to this database. It runs on a central data-

base server that you have installed prior to installing the RES ONE Workspace Console. The

datastore can exist on any of the following database types: MS SQL (including Express and Az-

ure), Oracle, DB2 and MySQL.

RES ONE Workspace Relay Server (optional):

The Relay Server component makes it possible to create a flexible architecture that consoli-

dates and centralizes all RES ONE Workspace configuration data into one central database,

while ensuring that dispersed Agents across multiple sites obtain configuration data efficiently

and in a timely manner. Relay Servers are an optional infrastructure component and are used

by many organizations in order to improve scalability, reduce network traffic and reduce the

overall Datastore load. Relay Servers Cache information from the Datastore and pass it on to

Agents or to other Relay Servers. Agents can be configured to contact the Datastore directly,

or to use Relay Servers. The relay server can be installed on Windows, but RES also have a

Linux version available on request.

RES ONE Workspace Agent:

An agent can be installed on Windows, Mac (OS X) or Linux. This can be a terminal Server, a

workstation, laptop or a VDI desktop. Each Agent is available in the Management Console. All

data is available in the local data cache, regardless of the availability of the Datastore. Each

Agent presents the end user with a uniform workspace managed by the Workspace Composer.

The RES ONE Workspace Composer builds the users workspace, regardless of the technology

stack used. This includes all applications, registry, menu items, files, and settings to which the

user is granted access.

Linux and Mac OS X agents support the managed applications Security feature, providing the

capability to allow or block executables in user sessions based on Authorized Files with MD5,

SHA-1 and SHA-256 file hashes and must be connected to a RES ONE Workspace Relay Server.


Smackdown


Functionality

User Profile Management: Save and apply profile data per application (instead of loading the

whole Windows profile during logon). Setup can be done by using built-in templates or can be

discovered by running an application in learning mode. You can offer users to restore their

own profile settings (per application) via self-service.

Context Awareness: RES builds a workspace based on the current and actual user state such

as location, time, device and identity of the user. Context can be based on AD group member-

ship, location awareness by determining the strongest wireless access point and device type.

Context awareness can be used to deliver the right services to the right user at the right time

and location.

Security: Restricting access to applications, data, network, websites and removable storage

based on context. Enabling user rights management by elevating privileges on applications in-

stead of elevating the user to local administrator. Rendering all local drives read-only by a

simple check-box instead of cumbersome policies and NTFS configurations. File access based

on hash (MD5, SHA-1 and SHA-256) is a recent addition to RES ONE Workspace. For organiza-

tions that have strict security and compliance initiatives, a RES ONE Workspace installation can

be configured for FIPS compliance for superior security and encryption across components and

the way they communicate with each other.

Desktop and Application Management: Enables object oriented management of what IT of-

fers the end user. This includes items such as printers, applications, data sources, e-mail tem-

plates, folder redirection and synchronization. Giving the user access only to the items he/she

needs to be productive from a standard desktop.

Integration: Simplifies management, access and configuration of application virtualization

technologies, publishing technologies and application deployment technologies from a single

console.

Compliance: Supporting software license and asset management by enabling application li-

cense metering and enforcement in hybrid desktop environments. Providing detailed audit in-

formation and insight on configuration changes and enforcing change management through

granular role based access control.

Reporting & Analysis: Providing first line support with analysis that helps them perform ad-

vanced real-time troubleshooting to resolve issues quicker as well as providing detailed insight

in workspace usage including applications, sessions and websites. RES Viewpoint is used as a

companion to RES ONE Workspace, and provides customers a wealth of information about the

as-is environment prior to deployment of RES ONE Workspace or any other change to the

desktop. Because it is based on Microsoft Azure, there are no infrastructure requirements at

all.

Session Performance: Ensure a stable and resource efficient end user experience by enabling

performance optimization mechanisms.


Smackdown


Desktop Transformation: Transform any existing desktop infrastructure into managed user

workspaces with an intuitive wizard. Desktop transformation allows IT professionals to use cur-

rent user state data to design the user workspace and implement step-by-step only applying

the necessary configuration.

Simple and Efficient Management: Simplify management of the desired user state by provid-

ing video tutorials, setup wizards and instant reporting of configuration. Building-blocks enable

easy and quick move of any configuration between environments such as development, test &

verification and production. Workspace Simulation allow the IT administrator to test impact of

infrastructure changes before actual implementation.

Delegation of Control: Role-based access to specific configuration parts in the console.

Reverse Seamless Technology: Deliver local application and data experiences to remote,

hosted virtual desktops.

Benefits

RES ONE Workspace offers enterprises a variety of benefits around increased productivity, re-

duced costs and improved security and compliance.

Increased Productivity: The ability to mask routine technology changes and upgrades and limit

workforce disruption is a major advantage of RES ONE Workspace. Migrations become zero

impact, and day-in and day-out, users have an optimized workspace that dynamically adapts

based on context. RES enables a mobile workforce.

Lower Cost of IT Operations: By centralizing management of users across all virtual and physi-

cal delivery platforms, IT no only saves time, but also maximizes the investment made in vir-

tual desktop technology. RES has also been proven to reduce service desk tickets related the

user experience by delivering an optimal workspace. Additionally, enterprises are able to bet-

ter control license use by having full visibility into the usage of apps and services in the work-

space, eliminating costly finds for over-usage.

Greater Security and Compliance: The need to protect and organization and mitigate risks has

never been higher. RES allows IT teams to define and enforce granular context aware access

policies to ensure that access is safe and compliant. Application and web security features pro-

tect the organization from cybersecurity threats and other risks at the user level, giving enter-

prises an added layer of security.

In addition to these benefits, RES ONE Workspace provides the foundation

that organizations need to provide the most comprehensive digital work-

space experience to employees. RES customers can leverage other solu-

tions in the RES ONE Suite to power their workspace with automation,

predictable service delivery and return and self-service capabilities. Com-

bined, IT has the tools needed to design, build, deliver and control every

aspect of the worker’s business journey with intuitive self-service and se-

curity that adapt at each step along the way.


Smackdown


Licensing

RES ONE Workspace can be purchased using either the concurrent or named user licensing

model.

RES ONE Workspace consists of three modules and customers can purchase any combination

of the modules to match their needs:

• Dynamic Configuration - delivers a context aware user workspace independent from

the infrastructure;

• Delegation and Compliance – Diagnostic, troubleshooting and the integration with

other technologies;

• Adaptive Security – delivers a context aware security layer that is created around the

workspace.

References

Website: http://www.res.com

Youtube channel: https://www.youtube.com/user/RESSoftware/videos

Admin guide: https://support.ressoftware.com/WorkspaceAdminGuide2015/

http://www.res.com/

https://www.youtube.com/user/RESSoftware/videos

https://support.ressoftware.com/WorkspaceAdminGuide2015/


Smackdown


7.12 TRICERAT

Introduction

TriCerat has been helping organizations ranging from 20 users to multi-national corporations

address the complexities of virtual environments since 1997. Although the company started

with ScrewDrivers, a product for solving the printing headache in server based computing envi-

ronments; the portfolio has grown to address all of the most common challenges in managing

physical and virtual desktop estates.

The Simplify Suite consists of a set of solutions that enable an administrator to easily manage

all main aspects of the user desktop environment from one pane of glass, while overcoming

the typical complexities found in IT environments today. These solutions include enterprise

profile management, application access restriction, desktop customisation, server stability and

a true print management solution.

The triCerat approach remains true to its ScrewDrivers beginnings, namely to create a fully

scalable solution that gives the right level of functionality to solve the fundamental issues with-

out adding to the management complexity elsewhere. The result is that not only do common

problem areas get addressed, but triCerat's approach promises that even the most junior of

administrators can quickly get to grips with the console, ensuring customers can quickly adapt

their IT environment to meet the changing needs of their users.

As well as the enterprise tools that form the Simplify Suite, triCerat offers a set of point solu-

tions that offer a quick-fix to issues like slow logons from roaming profiles and the challenge of

scanning in a server based computing environment.

Functionality

TriCerat’s Simplify Suite includes the following solutions:

PROFILE MANAGEMENT

TriCerat’s hybrid profile solution solves all common profile issues like slow logon times, profile

corruption and bloat, while overcoming v1/v2 and 32-/64-bit profile issues encountered when

migrating to a new OS or server platform. Registry keys are migrated into the Simplify data-

base and can be assigned rules (Save/Restore, Set, and Delete) in order to restrict profile bloat

and ensure a fully personalized user profile. A corrupted registry setting can be replaced with

the last known good version that was saved on the database. Folder redirection, drive map-

ping, drive restrictions, and Windows Explorer restrictions can be quickly and easily configured

in the console.

PRINT MANAGEMENT

TriCerat’s driverless printing solutions addresses slow printing, network bandwidth spikes, and

spooler crashes. The proprietary TMF print format achieves an average of 90% compression

rates and the print job streaming minimizes stress on the network. This solution is superior to

universal print drivers because it is compatible with 100% of printers, recognizes advanced

printer functionality, and eliminates the need to install printer drivers on the server. The Active


Smackdown


Directory integration enables proximity printing and through a print server fully supports print-

ing to any device (including thin clients, PDAs etc.).

DESKTOP SECURITY & CUSTOMIZATION

The administrator is given the tools to quickly and easily create a lock down on all aspects of

the user environment including the desktop, start menu, and taskbar functionality. This in-

cludes the triShell OS shell replacement that offers a similar experience across access devices

and is more secure and less memory intensive than the explorer.exe shell.

APPLICATION CONTROL

TriCerat uses trusted and banned lists to together with secure application signatures to control

what applications can be accessed by the user and ensure licensing compliance. Application

access is also location aware, allowing an application to launch depending on whether the user

is in the office or not.

SYSTEM PERFORMANCE

TriCerat’s system performance component ensures system stability and maximizes the number

of quality user sessions on the server by controlling CPU and memory resources. This is partic-

ularly suited for controlling legacy and rogue applications that hoard CPU and affect all users

on the server. Rules are set to first lower the priority and then clamp down CPU on the applica-

tion and user level until normal levels return.

Benefits

TriCerat’s approach to user environment management is not only to cut the costs of managing

an enterprise IT environment, but to do so at a level of complexity that even a junior adminis-

trator on the helpdesk could manage. TriCerat will allow all aspects of the user environment to

be controlled and altered based on the changing needs of users from the straightforward,

powerful Simplify Console. TriCerat offers a superior method to environment management in

the following ways:

• Centralized management for controlling whole user environments. One Active Direc-

tory querying management console is shared between all solutions that comprise the

Simplify Suite. This works with any combination of virtual or physical desktop environ-

ments, giving administrators an accurate picture of what the user sees on their desk-

top.

• Group Policy and script-free management. The Simplify Suite reduces the reliance on

policies and scripts for both setting up and managing the user environment. This re-

duces the time needed for new environment configurations and allows administrators

to quickly apply changes required by the user without the risk of undermining baseline

policy.

• Full personalization for the user and full control for the administrator. User acceptance

of a new environment is ensured by allowing users to personalize their work environ-

ment while administers retain full control. This includes assigning rules to what parts

of the registry are to be save/restored, set, or deleted.


Smackdown


• Solves main migration headaches when changing OS, server bit platform, access de-

vices, and virtualization technology. Migrations throw up unexpected hurdles that af-

fect profiles, printing and the user desktop experience. TriCerat addresses all of these

issues in advance and includes migration tools for bringing existing user settings into a

new environment.

• Reduces helpdesk costs by speeding resolution times. TriCerat overcomes most of the

common problems associated with managing the user environment in real-time, re-

flecting changes immediately on the desktop without requiring the user to restart their

machine. Doing so allows administrators to assist employees in getting back to work

quickly.

• Increased security of the user desktop minimizes threats. Full control of the user desk-

top allows administrators to close all potential security holes that could cause prob-

lems for the user. Should users need further flexibility, changes are simply made in the

console.

Architecture

Simplify Suite modules need to be installed on every machine (workstation, Terminal Server,

virtual desktop) that requires Simplify Suite functionality. The installation of all Simplify Suite

modules comes under 100MB and can be fully automated. The Simplify database is built on a

Microsoft SQL database, which is built on Microsoft standards and thus supports SQL cluster-

ing and maintenance plans for backup and replication.

Figure 8: TriCerat Simplify Suite architecture

Licensing & Pricing

TriCerat products are sold on a per user or per server basis. Product modules that make up the

Simplify Suite (including Simplify Profiles, Simplify Printing, Simplify Lockdown, and Simplify

Stability) can be sold alone or as part of the Simplify Suite. During the time this document was

going to press, triCerat was exploring a SPLA model for managed services partners


Smackdown


7.13 UNIDESK

Note from the author: Unidesk is an increasingly popular desktop provisioning, application delivery, and

management platform in the Server Hosted Desktop (VDI) space. Unidesk’s layering technology is often

used in place of VMware Linked Clones, View Composer, View Persona, and VMware ThinApp by

VMware View customers and in place of Citrix Provisioning Server, Citrix Machine Creation Services, Cit-

rix XenApp, Microsoft App-V, Citrix Personal vDisk, and Citrix Profile Management by Citrix XenDesktop

customers. Unidesk isn’t a User Environment Management solution as such, we believe it is wise to add

Unidesk to this whitepaper and inform you about the functionality and potential.

Introduction

Unidesk is a provisioning and application delivery solution for virtual desktops hosted on

VMware vSphere. Customers use the Unidesk layering platform in combination with VMware

View, Citrix XenDesktop, and other brokers when:

They have a large number of applications that cannot be easily virtualized;

They want to keep the number of gold images to 1 to simplify Windows OS patching

and updates;

They have users who require persistent desktops to keep user-installed applications

and other customizations.

They want to reduce the amount of storage needed for VDI up to 85%.

Benefits

Cost Savings

Reduce storage requirements: Unidesk shares single layers of the OS and applications

across many virtual desktops and thin provisions user space to reduce SAN and NAS

capacity requirements up to 85% for both persistent and non-persistent desktops.

Reduce OpEx: Customers report that with Unidesk, they can layer almost any

application in less than 30 minutes, compared to the days it may require to virtualize

the same applications. Also, most Unidesk customers have only 1 gold image for all

desktops, compared to the 1 gold image for every 50-100 desktops required by non-

Unidesk VDI implementations. The savings in Windows patching and application

delivery time alone enables Unidesk to pay for itself in less then 6 months.

Reduce desktop support costs. Unidesk enables Level 1 service desk personnel to

repair damaged virtual desktops simply by rolling the desktop’s User layer back to a

previous snapshot. Bad registry keys and DLLs, malware, viruses, and other problems

can be fixed with a simple reboot, without having to reimage the desktop or lose all

user customizations.

IT Benefits

Minimize complexity. Unidesk's interface, "layer cake" approach to creating desktops

and full feature set means fewer point tools to learn.

Simplify application packaging and delivery. Traditional application virtualization re-

quires time and business knowledge to deal with the compatibility issues caused by


Smackdown


process isolation, and there are many applications that cannot be virtualized. Unidesk

can package any application in a fraction of the time. Just install the app the way you

would on a physical PC, and it can be immediately assigned to any number of desk-

tops.

Reduce patching time and costs. With only 1 gold image layer as the basis for all desk-

tops, Unidesk can deliver a virtually unlimited number of Windows hot fixes and up-

dates to all desktops in 1 day, without the patch failure rates typical of agent-based PC

management approaches.

End User Benefits

Full, rich desktop. Unidesk provides a consistently personal desktop experience that

ensures virtual desktop acceptance and enhances job satisfaction by making sure user

data, profile settings, and user-installed applications survive logouts, reboots, patches,

and upgrades.

Quickly receive new applications, updates, and patches from IT. Unidesk accelerates

delivery of new revenue-generating applications and patches needed for security and

compliance without time-consuming install procedures, scripting, or risk of patch fail-

ure.

Repair "broken" desktops instantly. End users don’t have to deal with lengthy desktop

downtime, or worry that personal settings and data will survive an attempted repair.

Unidesk can roll back user-installed applications or surgically repair specific applica-

tions, leaving all user data intact.

Functionality

Simpler, More Powerful Application Delivery

Unidesk can package and deliver applications in a fraction of the time required to virtualize the

same applications. Unidesk can also deliver antivirus, printer/scanner drivers, Office plug-ins,

and the many other applications that traditional application virtualization cannot. With

Unidesk layers, IT administrators can package or patch apps once, then assign them to any or

all desktops. If a mistake is made, they can simply roll the layer back to a previous version to

undo the problem.

Single Image OS Management

With all applications layered separately, all desktops can be created from a single, pristine Mi-

crosoft Windows gold OS layer. Administrators can patch the gold once, and all desktops get

updated. End users won't lose user customizations like they will with cloning solutions. Also,


Smackdown


the patch failures common with agent-based PC configuration tools are no longer an issue be-

cause of how Unidesk composites the new OS layer into every desktop using file system and

Registry virtualization.

100% Persistent Personalization

Profile management only captures user customizations that can be stored in a profile.

Unidesk’s storage-efficient persistent desktops capture everything - including profile settings,

data, and user-installed applications – and eliminate the need for profile management in most

cases.

85% Less Storage

By sharing the same OS and application layers across many desktops and thin provisioning user

layers, Unidesk cuts the VDI storage footprint up to 85% for both persistent and non-persistent

desktops.

Broker Integration Unidesk brokering connectors for VMware View and Citrix XenDesktop ena-

ble Unidesk desktops to be provisioned directly into View and XenDesktop pools and cata-

logs.Web-Based Management Interface Unidesk’s elegant management interface makes it

easy for administrators to provision, update, manage, and report on their entire VDI estate.

The web-based management console enables administrators to dynamically assemble desk-

tops from a pick list of independently packaged and versioned Microsoft Windows OS and ap-

plication layers.

Figure 9: Unidesk web-based management

Architecture

Unidesk is implemented as a system of “scale-out” virtual appliances that run on existing

VMware infrastructure.


Smackdown


The Unidesk Management Appliance hosts the Web-based management application that is

used by administrators to provision, patch, assign and report on virtual desktops. Only one

Management Appliance is typically needed for a VDI environment. The Management Appli-

ance also manages Unidesk policy and configuration, including information about Unidesk lay-

ers, desktops and users. The

Management Appliance can be

deployed on any host in the vir-

tual infrastructure as long as it

can communicate over TCP/IP

with Unidesk CachePoint appli-

ances and VMware vCenter

Server.

The first Unidesk CachePoint ap-

pliance deployed takes on the

special role of Master CachePoint,

storing all Operating System (OS)

and Application layers. In produc-

tion VDI environments, a dedi-

cated Master CachePoint appli-

ance should be deployed on a

separate host server to maximize virtual desktop performance. The Master CachePoint auto-

matically replicates OS and Application layers to other secondary CachePoints, where the lay-

ers are cached as VMDKs. Layers are replicated only if they are needed by at least one of the

desktops associated with a CachePoint.

Each secondary CachePoint caches the OS, Application and Personalization layers for the desk-

tops it hosts. The desktops are created with a small boot image in a VMDK file. At boot, this

disk supplies enough of the desktop operating system to load any drivers or early start services

required prior to the Unidesk filesystem drivers loading. Once the Unidesk drivers are loaded,

the desktop establishes connectivity to the correct OS, Application and Personalization layers,

stored as VMDKs in a directory structure under the CachePoint. All desktops assigned to a

CachePoint share the same OS and Application layers for dramatic storage savings. The Per-

sonalization layer for each desktop is then combined on top of the IT-controlled OS and App

layers. The virtual infrastructure and connection broker see Unidesk desktops as standard vir-

tual machines.

Licensing

Unidesk is based on a perpetual licensing model, with annual Complete Care service (support

and maintenance) mandatory for all purchases. The licensing unit is a Managed Desktop, de-

fined as the number of virtual desktops created, updated, and managed by Unidesk. This may

include persistent desktops (assigned to specific users, retain state, and used only by those us-

ers), non-persistent (don’t retain state, shared by many users e.g. labs), and non-concurrent

(may or may not retain state, shared by multiple users, but not at same time, e.g. shift work-

Figure 10: Unidesk architecture


Smackdown


ers). Customers may purchase 3 years of Complete Care Service upfront in return for a dis-

counted price. Unidesk also plans to add term/subscription licensing options for service provid-

ers and site/enterprise licensing options for large opportunities.


Smackdown


7.14 VMWARE USER ENVIRONMENT MANAGER

Introduction

VMware User Environment Manager™ offers personalization and dynamic policy configuration

across any virtual, physical and cloud-based Windows desktop environment. User Environment

Manager simplifies end-user profile management by providing organizations with a single,

light-weight and scalable solution that leverages existing infrastructure. It accelerates time-to-

desktop and time-to-application by replacing bloated roaming profiles and unmaintainable,

complex logon scripts. It maps environmental settings (such as networks and printers), and dy-

namically applies end-user security policies and personalizations. Utilizing the Horizon Cloud

Manager, this focused, powerful and scalable solution is engineered to deliver workplace

productivity while driving down the cost of day-to-day desktop support and operations.

VMware User Environment Manager is the successor of Immidio Flex Profiles – the most suc-

cessful Windows profile management solution, with more than 2 million users worldwide. Im-

midio developed VMware User Environment Manager in close collaboration with its large in-

stalled base.

VMware User Environment Manager offers a desktop that adjusts to the actual situation of the

end user, providing access to the IT resources that are required, based on a user’s role, device

and location.

VMware User Environment Manager consists of five functional areas: Application Configura-

tion Management, User Environment settings, Personalization, Application Migration and Dy-

namic Configuration. Each area is further described in section Error! Reference source not

found..

VMware differentiates its UEM solution from those from other vendors by focusing on the

core requirements needed to deliver a positive user experience, in a light-weight, simple to ad-

minister package. VMware User Environment Manager positively impacts end-user experience

and productivity, while leveraging existing IT infrastructure, resulting in a very attractive ROI.

Benefits

IT benefits: “Centralized and simplified user environment management”

Engineered to be simple yet powerful, scalable and fast; User Environment Manager

demonstrates value almost immediately

Accelerates upgrades, migrations, and on-boarding with easy to maintain policies and

tools.

Replaces unmaintainable, complex GPO and Logon Scripts with dynamic policy

Reduces helpdesk incidents by replacing bloated, corruptible Roaming Profiles with a

more efficient and scalable solution

End-User benefits: “Consistent and personalized experience across devices and locations”

Maintain personalized settings across multiple devices, even non-persistent VDI ses-

sions


Smackdown


Experience auto-mapping printers and networks as you roam between locations

Enjoy speedy logon times and faster time-to- application, with minimal downtime

Business benefits: “Enterprise-grade user management with low up-front investment”

Scale out services with a single solution that supports virtual, physical, and cloud-

hosted environments

Drive down user management costs without adding additional infrastructure

Respond to changing business dynamics with the ability to quickly add/remove profile

and personalization services

Architecture

In order to control costs, VMware User Environment Manager leverages a company’s existing

Windows infrastructure. Unlike other solutions, it does not require additional components,

such as a databases or web servers. VMware User Environment Manager also uses commonly

used mechanisms for deployment (MSI) and configuration (Active Directory Group Policy) of

the client agent. This strategy makes it possible to scale up alongside the scaling of the Win-

dows infrastructure and also, to support off-line usage of managed Windows devices.

Figure 11: Architecture


Smackdown


If a customer has deployed the optional Horizon Cloud Manager, then daily maintenance tasks

can performed using this unified single console.

Functionality

Application Configuration Management

Application Configuration Management enables you to configure the initial settings of an appli-

cation without having to rely on the defaults of the application. "Predefined Settings" can be

used as one-time defaults or can be set each time the application starts (guaranteeing that ap-

plication settings are always in the exact same state). A hybrid approach is also possible: define

which application settings can be personalized and which should always remain at their initial

values, allowing partial personalization.

Using Application Profiler, you can capture predefined settings for an application by simple

running the application on a reference system (monitored by Application Profiler) and then

configuring as desired.

VMware User Environment Manager also provides the capability to manage certain User Envi-

ronment settings when an application is launched, like mapping drives and printers, applying

custom files, folders and registry settings, and running custom tasks.

Additionally, central policy controlled black and white lists govern which applications a user

has access to at any given time.

Application Configuration benefits:

• Decouple user settings from native and virtual applications

• Maintain a single application package while deploying it in multiple configurations

• Ensure compliance with company standards

• Prevent users from misconfiguring error-prone applications

• Only consume network resources (e.g. printers or network drives) when necessary

• Manage all application configuration elements on the application level

User Environment settings

VMware User Environment Manager enables you to centrally manage a variety of User Envi-

ronment settings which users need to perform their daily tasks.

The following User Environment settings are supported:

• Drive and printer mappings

• Environment variables

• Application shortcuts and file type associations

• Custom files, folders and registry settings


Smackdown


• Logon and logoff tasks

• Display language

• Hide drives

• Triggered tasks

• Policy settings

User Environment settings benefits:

• Reduce complex scripting and prevent configuration errors

• Reduce use of dispersed Group Policy preferences

• Manage application shortcuts and file type associations for applications virtualized

with Microsoft App-V (MDOP), Novell ZAV and VMware ThinApp

• Centrally managed from a single management console

Personalization

VMware User Environment Manager Personalization decouples and segments user-specific

desktop and application settings from the Windows operating system, making them available

across multiple devices, Windows versions and application instances. Decoupled personaliza-

tion is independent from the traditional Windows user profiles and allows for easy introduc-

tion and management of virtualization technologies and application delivery mechanisms. Per-

sonalization integrates seamlessly with natively installed and virtualized applications, providing

users with a consistent user experience across any Windows platform – physical, virtual or re-

mote. Additionally, it enables painless upgrades, like migrating from Windows XP to Windows

7 or Windows 10, or migrating from App-V 4 to App-V 5.

Additionally, VMware User Environment Manager makes it easier for admins to make a users’

personal data available on multiple devices.

Personalization benefits:

Much shorter logon and logoff times

Reset user settings per application rather than deleting the complete user profile

Unique cleanup mechanism for existing roaming and local user profiles

Manage personalization of applications virtualized with Microsoft App-V (MDOP)

A single "user profile" per user across multiple Windows platforms

Application Migration

VMware User Environment Manager can "roam" personal application settings of users from

one operating system to another (e.g. from Windows XP to Windows 7), as long as the applica-

tion is storing its configuration in the same location of the user profile (i.e. uses the same regis-

try and AppData locations).


Smackdown


In any application version upgrade (e.g. Office 2007 to Office 2016), either as part of an operat-

ing system migration or as part of the application’s lifecycle management, VMware personali-

zation can manage the personal application settings.

Application Migration benefits:

• Migrate application settings to increase end-user productivity

• Increase user acceptance for application or operating system upgrades

• Avoid helpdesk overload during migrations.

Smart Policy

Condition Sets allow you to combine conditions based on user, location and device characteris-

tics, enabling dynamic adaptation of content and appearance of the end-user desktop. For ex-

ample, you can provide access to a network printer based on the user’s current location or cre-

ate an application shortcut on the desktop based on the user’s identity. Conditions can be

evaluated again when users unlock their workstation or reconnect to a remote session.

Smart Policy is deeply integrated in to Horizon 7 with conditional support for poolnames, tags,

endpoint location and View name and IP information. Using these conditions, you can dynami-

cally control the system clipboard, client drive, USB access, printing capabilities and bandwidth

profile.

Condition sets are managed centrally from the Management Console and can be applied to all

configurable items within VMware User Environment Manager.

Dynamic Configuration benefits:

• Reduce complex scripting and prevent configuration errors

• Reduce use of dispersed Group Policy preferences

• Centrally managed from a single management console

• Manage globally instead of per configured item

• Globally enforce compliance to company standards

• Increase end-user productivity by providing the relevant desktop

• Reduce helpdesk calls by anticipating on dynamic desktop usage scenarios

• Run built-in or custom tasks at logon and logoff, application launch and exit, lock and

unlock workstation, and disconnect and reconnect to a remote session

Licensing and pricing

VMware User Environment Manager is available stand-alone or as part of Workspace ONE,

Horizon 7, Horizon Air, and VMware AppVolumes.


Smackdown


7.15 VMWARE VIEW PERSONA MANAGEMENT

Introduction

Early 2010 VMware acquired certain assets from RTO Software, a provider of user profile man-

agement for Windows desktops and application/performance monitoring tools for desktop vir-

tualization, to enable effective persona management for VMware View.

With VMware View 5, VMware introduced View Persona Management. View Persona Manage-

ment preserves user profiles and dynamically synchronizes them with a remote profile reposi-

tory. View Persona Management does not require the configuration of Windows roaming pro-

files, and you can bypass Windows Active Directory in the management of View user profiles.

If you already use roaming profiles, Persona Management enhances their functionality.

Persona Management downloads only the files that Windows requires at login, such as user

registry files. When the user or application opens other files from the desktop profile folder,

these files are copied from the stored user persona to the View desktop. This algorithm pro-

vides performance beyond that achieved with Windows roaming profiles. In addition, View

copies recent user profile changes to the desktop profile up to the remote repository every

few minutes.

Benefits

View Persona Management minimizes the amount of time necessary for login and logout by:

Downloading at login time only the files that Windows requires for login, such as user

registry files.

Downloading other user profile data only as needed, when the user or application

opens a profile folder on the View desktop. The profile folders appear to contain up-

to-date files, but the data is not downloaded until it is accessed.

Periodically uploading to the remote repository any changes made to the user profile.

The default time between automatic periodic uploads is ten minutes, and this time can

be configured.

Uploading at logout only the user profile changes since the last periodic upload. Be-

cause of the frequent automatic upload of changed user data during the user session,

this final upload does not take a long time.

By minimizing the amount of data uploaded or downloaded at any one time, Persona Manage-

ment provides a performance improvement over Windows roaming profiles. A roaming profile

system managed by Windows copies the entire user profile to the local desktop at login and

copies all user profile changes up to the remote repository at logout.

View Persona Management is an alternative to Windows roaming profiles and allows you to

manage user profiles without relying on Active Directory for configuration. Instead, you config-

ure and manage user profiles entirely within the View environment. Any changes you make to

test View Persona Management have an effect only on View desktops and do not have a global

effect on other desktops, such as physical desktops. You can easily reconfigure View to refine

your implementation.


Smackdown


VMware View Persona Management is an integral part of the VMware View solution, which

also includes other features such as application provisioning. While other profile management

vendors rely on best practices and “good user behavior” to ensure that data and settings are

included in the Windows profile, the VMware approach is to manage a user’s “personality”.

The user personality encompasses the unique user experience including user data, user set-

tings, and application access, which is more than a Windows profile covers. By integrating per-

sonality management with other components, such as View Manager and View Composer,

VMware View delivers a complete solution to solve our customer’s problems holistically.

Licensing;

Persona Management is free as part of VMware Horizon View 7.x


Smackdown


8. UEM FEATURES COMPARISON

8.1 INTRODUCTION

It’s important to understand that comparing features is the last step in the decision tree. Vi-

sion, Strategy and Technology are the first steps to take. Each User Environment Management

product has its own functionality and feature-set.

It’s key to have an overview of the vendors, solutions and their functionality. Some vendors of-

fer complete and comprehensive sets of functionality while others are focused to deliver a

smaller solution set with specific functionality. Both scenarios are valid, it all depends what

kind of functionality you’re looking for. Keep the strategic questions mentioned in chapter 3.8

in mind!

Below you will find an overview of the various vendors, their solutions and the functionality

they are offering on a very high level. As mentioned in chapter 5 it’s key to understand that dif-

ferent vendors have different focus, approach and solutions to fill in the UEM space. The diffe-

rent focus areas used in the diagram are:

User Profile Management; Manage Windows User profiles; local, roaming, hybrid,

mandatory;

User Personalization, or Application and Desktop Management; Application icons, set-

tings and configuration preferences;

Application Access Control, with User Rights Management or Security Management;

enforce access to applications, persona and context aware.

Resource Management; Application performance optimization and management;

License Management; insights, reporting and enforcing the use of licenses;

Application Delivery: User centric Application Installation with Dynamic Privileges,

User Installed Applications, Streamed and Virtualized applications;

Monitoring, Auditing and Reporting facilities on various levels with focus on the user

environment.


Smackdown


There are a lot of vendors in the User Environment Management space. The diagram below

gives an overview of the focus of the various User Environment Management (UEM) software

vendors. This diagram has nothing to do with the (possible) discussion which vendor provides

the most and the best functionality and features. A complete overview of the features and

functionality is available in this chapter.

Vendor Product

Use

r P

rofi

le M

gmt

Use

r P

erso

nal

isat

ion

Ap

plic

atio

n A

cces

s C

on

tro

l

Use

r R

igh

ts M

anag

eme

nt

Re

sou

rce

Man

agem

en

t

Lice

nse

Man

agem

en

t

Ap

plic

atio

n D

eliv

ery

Mo

nit

or,

Au

dit

an

d R

epo

rt

Appixoft Sense

AppSense DesktopNow

Citrix User Profile Management

Dell Wyse vWorkspace

Liquidware Labs ProfileUnity

Microsoft GPO, GPPrefs, USV, UE-v

Norskale VUEM

PolicyPak PolicyPak Application

Manager

RES ONE Workspace

Tricerat Simplify Suite

VMware Persona Management

VMware User environment Manage-

ment


Smackdown


Product Version

We did our best to be truthful and accurate in investigating and writing-down the different

features. When you see improvements please let us know. This detailed feature compare ma-

trix is developed with the following products and versions:

Product Version

AppiXoft Scense 10

AppSense Environment Manager 8.6. SP2

AppSense Performance Manager 8.3 SP1

AppSense Application Manager 8.9 SP2

Citrix User Profile Manager 3.1

DELL Wyse vWorkspace 8.6.1

FSLogix 2.1

Liquidware Labs ProfileUnity 6.5

Liquidware Labs Flex-io 1.5

Microsoft Windows Server and Client 2012R2 and 10

Microsoft User Experience Virtualization 2.0

Norskale VUEM 3.5

PolicyPak Application Manager Build 557

RES ONE Workspace 2012 SR3

Tricerat Simplify Suite 5.5

Unidesk 2.5

VMware User Environment Management 9.0

VMware Persona Management 7

8.2 ROADMAP AND FUTURE ADDITIONS

This document is just the beginning and will be developed and developed in the near future.

We plan to add more feature details of the currently named vendor solutions and want to add

new solutions where applicable. If you have any comments, corrections, or suggestions for im-

provements of this document, we want to hear from you! Please send e-mail to Rob Beekmans



Smackdown


8.3 FEATURE COMPARE MATRIX

UEM solutions and features

Goal: Detailed description of features

Requirements: Hands-on-experience, vendor involvement

Result: Whitepaper

Method of Execution: Hands-on experience, read articles, communicate with ven-

dors and discuss with colleagues

Legend:

√ = Applicable;

X = Not applicable;

--- Not needed

~= It depends;

# =under investigation by PQR

A green √ or red X has nothing to do with advantage or disadvantage of a solution. It just pre-

sents the availability of the functionality. Note: It’s out of scope for this whitepaper to explain

the ‘It depends’ remarks’.

# are under investigation and will be changed to other symbols as soon as we get confirmation

on the functionality or support. A next version of the whitepaper will reflect the changes.


Smackdown

Version 16.02 april 2016 Page 90

8.4 GENERIC FEATURES AND FUNCTIONALITY

Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Management Server / UEM solution

Server instance officially supports 1K concurrent connections √ √ --- √ √ √ X √ √ --- ---

Server instance officially supports 2.000 concurrent connections √ √ --- √ √ √ X √ √ --- ---

Server instance officially supports 5.000 concurrent connections √ √ --- √ √ √ X √ √ --- ---

Server instance officially supports 10.000 concurrent connections √ √ --- √ # √ X √ √ --- ---

Server instance officially supports 20.000 concurrent connections √ √ --- √ # √ X √ X --- ---

Database instance officially support 20.000 concurrent connections √ √ --- √ # √ --- --- √ --- ---

Total supported managed clients per ‘farm≤ 10.000 CCU √ √ √ √ √ √ √ √ √ √ #

Total supported managed clients per ‘farm’ 10K – 25K CCU √ √ √ √ √ √ --- √ √ √ #

Total supported managed clients per ‘farm’ ≥ 25.000 CCU √ √ √ √ √ √ --- √ √ √ #

Integration with 3rd party systems management solutions X √ X X √ √ √ X √ X X


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Centralized management console √ √ X √ √ √ √ √ √ √ X

Web-based management interface X √ X X X X X √ X X X

Single centralized management console for support and admin √ X X # √ √ √ √ √ ~ X

Windows GUI for Management (includes MMC) √ √ ~ X √ √ √ √ X ~ X

Delegation of control √ √ X √ X √ √ √ √ X X

Delegation of control, granular delegated administration roles √ √ X √ √ √ √ X √ √ X

Console supports multiple concurrent administrators √ √ ~ ~ √ √ √ √ √ √ ---

Admin access console with different credentials other than current account details √ √ --- # --- √ --- √ √ ~ ---

Console supports Single-Sign-On √ √ --- √ --- √ --- √ √ √ ---

Console supports SQL Authentication √ √ --- # --- # --- --- √ --- ---

Configuration check in/out process for multiple administrators X √ --- X --- √ --- X X X ---

Single management console supports 5000+ managed clients √ √ √ √ √ √ √ √ √ √ √


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

client endpoint search capabilities across management console √ √ --- √ --- # X √ √ X ---

Support for (wildcard) searching across management console √ √ --- √ X √ --- √ √ X ---

Client – Server traffic is secure by design √ √ √ √ √ √ √ √ √ √ √

Management traffic is secure by design √ √ √ √ √ √ √ √ √ √ √

Management traffic can be Network Load Balanced √ √ --- # --- √ # --- √ ~ ---

Auditing and security logging of admin actions √ √ X √ √ √ √ √ √ X √

Event and error reporting √ √ √ √ √ √ √ √ √ √ √

Security hardening guidelines public available X X X X X X X X X X X

Support low bandwidth/high latency WAN connections √ √ √ √ √ √ √ √ √ √

PowerShell SDK X √ X √ X X X X X X X

Scripting (not including PowerShell) support and command-line interface √ √ X X √ X X √ √ √

Microsoft Group Policy-based management for agent/client settings X √ √ X √ √ √ √ X √ √


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

API Interface (public) and documented X √ X X ~ X X √ X X X

Support for Branch/Relay-servers for scalability/minimizing site-2-site traffic √ √ --- X --- √ --- --- √ ~ ---

Client end point merging of multiple separate configurations # √ X X # √ √ √ X √ #

Configuration layering within the console # √ X X ~ # √ √ √ # X

Configuration Change Tracking √ √ X √ X √ X X √ X X

Product Patching via MSPs X √ X √ √ √ X --- X √ X

Microsoft System Center Integration X √ X √ X X √ X √ ~ X

Schedule Agent Installation for immediate install √ √ X √ --- X --- --- X --- ---

Schedule Agent Installation at next computer start up prior to logon √ √ X X --- X --- --- X --- ---

Schedule Agent Installation for any given time √ √ X X --- X --- --- X --- ---

Enable user to postpone agent installation (within predefined timeframe) √ √ X X --- X --- --- X --- ---

Agent Installation Notification available in multiple languages √ √ --- X --- X X --- √ --- ---

Synchronized Agents & Configuration Deployment and Installation √ √ --- √ --- √ --- --- √ --- ---

Force Agent to Poll Now to pull latest Configuration √ √ --- X √ X √ X √ --- ---

Variable Poll Periods √ √ --- # √ √ √ √ √ --- X


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Failover support via multiple Management Servers √ √ --- √ --- √ --- --- √ --- ---

Workspace Model to enable/disable UEM features √ √ --- X √ √ --- X √ √ ---

User Self-Initiated refresh X X --- X X X --- X √ √ X

Update of UEM configuration (no need to logoff/logon) √ ~ --- X √ √ --- √ √ √ X

Management Server / UEM solution: Built-in PowerShell Cmdlets for scripted configura-

tion

# √ --- √ √ X # X # # #

Licenses

No external license server required √ √ # √ √ √ √ √ √ √ √

First year support and maintenance included in license √ X # √ √ √ √ √ √ √ #

24 x 7 support included in base license X √ # X # √ X X X X #

24 x 7 support, additional pricing X --- X √ # --- X √ √ √ #

Built into Operating System X X X X √ X X X X X X

Physical endpoint use license included with VDI/RDS license --- --- √ # # --- --- --- --- # X

Concurrent user/desktop licenses √ √ √ √ √ √ √ √ √ √ #

Per device licenses √ X √ √ X √ √ X X √ #

Per named user licenses √ √ √ √ √ √ X √ √ √ #

Per server licenses X √ X X X X --- X X X #

Enterprise/site license program √ √ X X √ √ √ √ √ √ #


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Academic/Education license program √ √ √ X √ √ √ √ √ √ #

Government license program √ √ √ √ √ √ √ √ √ √ #

Service Provider license program √ √ X √ # √ √ √ √ √ #

Free for personal usage (FFPU) √ X X X X √ X √ √ X X

Support and Community

Public and active community √ √ √ √ √ √ √ √ √ √ #

Official training classes available √ √ X √ X √ √ √ √ √ #

Official certification program, VUE or Prometric X √ X X X X X X √ X #

UEM technology is proven; the solution is being used for 1+ year in enterprise production

environments. 10K+ endpoint, various deployment scenarios.

√ √ √ √ √ √ √ √ √ √ #

10+ of public available enterprise (10K CCU) references in EU using UEM solution X √ √ √ √ √ X X √ √ X

10+ of public available enterprise (10K CCU) references in US using UEM solution X √ √ √ √ # X X √ X X

10+ of public available enterprise (50K CCU) references in EU using UEM solution X X X X X √ X X X X X

10+ of public available enterprise (50K CCU) references in US using UEM solution X X X X X # X X X X X

Enterprise Reference Architecture, public available X √ √ √ # √ X X √ X X

Professional Services Organization – Business hours multi-lingual support √ √ √ √ √ √ X √ √ √ √

Professional Services Organization - 24h multi-lingual support (possible additional con-

tract)

X √ √ X √ √ X √ √ √ √


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Technical Account Manager (TAM) available √ √ √ X √ √ X √ √ √ √

Management Platform

Management through Active Directory X ~ √ √ √ √ √ √ X √ √

Management through file share X X X X X X √ √ X √ √

Datastore transfer Protocol - SMB √ √ √ X √ X √ √ √ √ √

Datastore transfer Protocol - HTTP(s) √ √ X X X X X X √ --- X

Datastore transfer Protocol – SMB X √ √ X X X --- √ √ √ √

Datastore transfer Protocol - TCP / configurable and supported X √ X √ X √ --- X √ --- X

Datastore transfer Protocol - Database specific (protocol differs per DB type) √ √ X X --- X --- --- √ --- X

Datastore transfer Protocol – Windows Communication Foundation √ X X X --- √ --- X X --- X

Datastore / database OS support

Management through database engine √ √ X √ --- √ --- √ √ --- ---

Microsoft SQL Server 2005 Express Edition √ X --- X --- X --- --- √ --- ---

Microsoft SQL Server 2008 SP1 Express Edition √ √ --- X --- √ --- --- √ --- ---

Microsoft SQL Server 2008 R2 Express Edition √ √ --- X --- √ --- --- √ --- ---

Microsoft SQL Server 2005 √ X --- X --- X --- --- √ --- ---

Microsoft SQL Server 2008 R2 √ √ --- √ --- √ --- --- √ --- ---


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Microsoft SQL Server 2008/SP2 √ √ --- √ --- √ --- --- √ --- ---

Microsoft SQL Server 2012 √ √ --- √ --- √ --- --- √ --- ---

Microsoft SQL server 2014 √ √ --- √ --- √ --- --- √ --- ---

Microsoft SQL Azure X X --- X --- √ --- --- √ --- ---

Microsoft SQL Server 2008 R2, built-in support for native SQL Mirroring √ √ --- X --- √ --- --- √ --- ---

Oracle Enterprise √ X --- X --- X --- --- √ --- ---

MySQL Enterprise Server X X --- X --- X --- --- √ --- ---

IBM DB2 X X --- X --- X --- --- √ --- ---

PostgreSQL X X --- X --- X --- X X --- ---

Management Server OS support

Microsoft Windows Server 2003 R2 √ X --- X √ √ √ X --- X ---

Microsoft Windows Server 2003 R2-64-bit √ X --- X √ √ √ X --- X ---

Microsoft Windows Server 2008 √ X --- √ √ √ √ √ --- √ ---

Microsoft Windows Server 2008 64-bit √ √ --- √ √ √ √ √ --- √ ---

Microsoft Windows Server 2008 R2 64-bit √ √ --- √ √ √ √ √ --- √ ---

Microsoft Windows Server 2012 64-bit √ √ # √ √ √ # # # √ #

Microsoft Windows Server 2012R2 64-bit √ √ # √ √ √ # # √ √ √

Microsoft Windows Server 2016 X X X X X √ X X X √ X


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Virtual (Linux) appliance X X --- X X X X √ --- --- ---

Supported Directory Services

OpenLDAP support X X X X X X X X X X X

Novell eDirectory official support X X X X X X X X √ X X

Novell Domain Services for Windows official support X X X X X X X X √ X X

Microsoft Directory Services support; ADS 2003+ √ √ √ √ √ √ √ √ √ √ √

Microsoft Read Only Domain Controllers (RODC) √ √ √ # √ √ # √ √ √ #

Supported Protocols for all UEM related components

TCP/IP v4 √ √ √ √ √ √ √ √ √ √ √

TCP/IP v6 ~ √ √ # √ √ √ √ ~ √ #

UEM Software Architecture

Software and Agents available as 32bits component √ √ √ √ √ √ √ √ √ √ √

Software and Agents available as 64bits component, native 64 bits components √ √ √ √ √ √ √ X √ √ √

Client Operating System support


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Microsoft Windows 10 (x86/x64) √ √ √ √ √ √ √ √ √ √ √

Microsoft Windows 8.0 / 8.1 (x86/x64) √ √ √ √ √ √ √ √ √ √ √

Microsoft Windows 8 RT X X X X X X X X X X X

Microsoft Windows 7 Professional √ √ √ √ √ √ √ √ √ √ √

Microsoft Windows Vista Professional √ √ √ √ √ √ √ √ X √ X

Microsoft Windows XP Professional √ X √ √ √ √ √ √ X √ X

Microsoft Windows Server 2003 R2 √ X √ √ √ √ √ √ X √ X

Microsoft Windows Server 2008 √ √ √ √ √ √ √ √ √ √ X

Microsoft Windows Server 2008 R2 √ √ √ √ √ √ √ √ √ √ √

Microsoft Windows Server 2012 R2 √ √ √ √ √ √ √ √ √ √ √

Windows XPe √ X √ √ √ √ √ √ √ √ X

Windows Embedded Standard 7+ √ √ √ √ √ √ √ √ √ √ X

Mac OS X X X X √ X X X X ~ X X

Unix flavors X X X X X X X X ~ X X

Linux flavors X X X √ X X X X X X X

EPOC / Symbian X X X X X X X X X X X

Wyse Thin OS (WTOS) X X X √ X X X X X X X

Apple iPhone/iPod IOS v6.x X X X √ X X X X X X X

Apple iPad IOS v6.x X X X √ X X X X X X X


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Google Android v2.x X X X √ X X X X X X X

RIM BlackBerry X X X X X X X X X X X

Windows Phone 7/8 X X X X X X X X X X X

Windows Phone 10 X X X X X X X X X X X

Client/User Session Environment

Agent technology, Helper X √ X X X X X X √ X X

Agent technology, AppInitDLL X X X X X X √ X X X X

Agent technology, Service √ √ √ X √ √ √ X √ √ √

Agent technology, Service (hooks WinLogon) X √ X √ X X X √ X X X

Agent technology, Service (parent process) X √ X X √ √ √ √ √ X X

Agent technology, Kernel mode filter driver √ √ √ X X X X √ √ X #

Agent technology, Executable √ X X X X √ X √ X √ X

Option to run agent-free (no installation on Client system) X X X √ X X X √ X √ X

Command-line parameters √ √ X # √ √ √ X √ √ X

Uses file system driver √ √ √ X X X --- X √ X #

No kernel-mode component required √ √ √ √ √ √ √ √ X X #

Component with elevated user rights √ √ √ # X ~ X √ √ --- X

User self-service component √ √ X # X √ X ~ √ √ X


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

PM

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

No

rska

le V

UEM

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e

VM

war

e U

EM

VM

war

e

Pe

rso

na

Man

age

me

nt

Application Delivery integration

Citrix XenApp: Ability to Publish Citrix applications # X X X X √ X √ √ X X

Microsoft RDSH: RemoteApp (native or MSI) √ X X √ √ √ √ √ √ √ #

Microsoft Application Virtualization, App-V (native or MSI) √ √ X √ √ # √ X √ √ #

Symantec Workspace Virtualization (native or MSI) √ X X X # X √ X √ √ #

VMware ThinApp (native or MSI) √ X X √ X √ √ √ √ √

Citrix XenApp Streaming X X X X X X √ X √ √ #

Microsoft MSI √ # X √ √ √ √ √ √ √ #

Windows Store apps # √ # # # # # # # # #

User Experience X

Reverse seamless functionality: Windows- and Web application integration X X ~ X X √ X X √ X X


Smackdown


8.5 USER PROFILE MANAGEMENT

Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Man

age

r

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e M

gr

VM

war

e U

EM

VM

war

e P

ers

on

a

Man

age

me

nt

Methodology

Profile segmentation / partitioning / separation / decoupling √ √ X √ --- --- √ √ √ √

Profile redirection/ streaming / virtualization √ √ √ √ √ --- √ √ √ √

Granularity and decoupling apps √ ~ √ √ √ √ √ √ √ X

Templates and / or wizards available to capture user settings # √ X X X X √ √ √ X

Migration

Replaces Windows Roaming Profiles √ √ √ √ √ --- √ √ √ √

Migrate from local or roaming profiles √ √ √ √ X --- √ √ √ √

Migrate from competing products √ √ √ √ X --- √ √ √ √

Migrate v1 to v2 profiles (automatically) √ √ X X X X √ √ √ ~

Migrate from v2 to v5 profiles (automatically) √ √ X # # # # # √ ~

Migrate from vx to v6 profiles (automatically # # # # # # # # # #

Migrate individual apps across versions √ √ √ X X √ √ √ √ X

Migrate for managed (UEM) profile back to Windows native profile √ √ √ # --- --- √ √ √ √


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Man

age

r

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e M

gr

VM

war

e U

EM

VM

war

e P

ers

on

a

Man

age

me

nt

Base Profile support

Local Profiles √ √ √ √ X --- √ √ √ √

Roaming Profiles √ √ X X X --- √ √ √ √

Mandatory Profiles √ √ √ √ X --- √ √ √ #

Streamed Profiles X --- √ √ √ --- --- X √ #

Works independent of Roaming Profiles √ √ √ √ √ √ √ √ √ √

User Profile Data Store

Windows File share √ √ √ √ √ X √ √ √ √

Management through database engine √ √ --- √ --- --- --- √ --- ---

Datastore transfer Protocol - SMB X √ √ X √ √ √ √ √ √

Datastore transfer Protocol - HTTP(s) X √ X X X X --- X --- X

Datastore transfer Protocol - CIFS X √ √ X X X √ √ √ √

Datastore transfer Protocol - TCP / configurable supported √ √ X √ X X --- X --- X

Datastore transfer Protocol - Database specific X X X X X X --- √ --- X

Datastore transfer Protocol - DCOM X X X X X X --- X --- X

Built-in replication/synchronization √ √ √ √ √ --- √ √ √ √

Data compression before transfer √ √ X √ √ √ √ √ √ X

Synchronization of data is based on delta’s √ √ √ # --- # √ √ √ X

Data streaming during profile transfer X --- √ # # --- --- X √ X


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Man

age

r

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e M

gr

VM

war

e U

EM

VM

war

e P

ers

on

a

Man

age

me

nt

Parallel processing of logon actions √ √ --- √ √ √ √ √ √ X

Support for Client Side Extensions X √ --- # √ # --- X √ #

Profile Management

Personalization loaded on demand (at app launch) for locally installed applications √ √ ~ X √ √ √ √ √ #

Personalization loaded on demand (at app launch) for virtualized applications √ √ ~ # √ √ √ √ √ #

Personalization templates X √ √ # X # √ √ √ #

1st Line support - Personalization Support Web Console X √ X # X # X X # #

Automatically capture application personalization √ √ X X √ X √ √ √ #

Automatically translate OS version properties √ √ X X X X √ √ √ #

Built-in user profile snapshots √ √ X X X X √ √ √ #

User self-service and profile management √ √ X # X # ~ √ √ #

Cross-application delivery mechanism support (v-apps etc) √ √ X X √ √ √ √ √ #

Cross-architecture support (32-bit & 64-bit) √ √ X √ √ √ √ √ √ #

Cross-operating system support for desktop settings √ √ X √ √ √ √ √ √ #

Discovery mode √ √ X X √ X X √ √ #

Builtin Reporting X √ X X X X √ √ X #

Isolation/Virtualization/Redirection of application settings X √ X √ # √ √ √ X #

Last write wins - Per Application √ √ X √ √ X √ √ √ #

Last write wins - Per Session √ √ √ X √ √ √ √ √ #


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Man

age

r

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e M

gr

VM

war

e U

EM

VM

war

e P

ers

on

a

Man

age

me

nt

Migrate from local or roaming profiles √ √ √ √ √ X √ √ √ √

Offline (Cached) Mode √ √ √ X √ √ √ √ √ #

Pre-cache personalisation on new machines X √ X X √ √ √ X √ #

Support for Terminal Server /desktop silos √ √ √ √ √ √ √ √ √ #

Supports user certificates √ √ √ √ √ --- √ √ √ #

Return to local or roaming profiles √ √ √ √ X --- √ √ √ √

Application Virtualization support

Microsoft Application Virtualization, App-V √ √ X X √ √ √ √ √ X

Symantec Workspace Virtualization √ √ X X X √ √ √ X X

VMware ThinApp √ √ X X X √ √ √ √ √

Novell ZENWorks / Turbo.net X X X X X √ √ √ √ X

Application Layering support

VMware Appvolumes √ √ # # --- # √ ~ √ #

Citrix AppDisk √ √ # # --- # √ # # #

Unidesk # √ # # --- # √ # # #

Cross Platform Personalization support


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

ix U

ser

Pro

file

Man

age

r

DEL

L W

yse

vW

ork

spac

e

Mic

roso

ft

Po

licyP

ak A

pp

licat

ion

Man

age

r

Liq

uid

war

e L

abs

Pro

file

Un

ity

RES

ON

E W

ork

spac

e M

gr

VM

war

e U

EM

VM

war

e P

ers

on

a

Man

age

me

nt

Cross-application delivery mechanism support (native, virtual, hosted apps etc.) √ √ X √ √ X √ --- √

Cross-architecture support (32-bit & 64-bit) √ √ X √ √ √ √ --- √ X

Cross-operating system support for desktop settings √ √ X X √ √ √ --- √ X


Smackdown


8.6 USER PERSONALIZATION, APPLICATION AND DESKTOP MANAGEMENT

Functionality Ap

piX

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

rix

UP

M

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft

No

rska

le V

EUM

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

On

e W

ork

spac

e

VM

war

e U

EM

VM

war

e P

M

Policy configuration component √ √ X √ √ √ √ √ √ X

Extendable with 3rd party tools √ √ X X √ X X √ ~ X

Processing of configuration during Windows Logon √ √ # √ √ √ √ √ √ #

Parallel processing of logon actions √ √ # √ X √ X √ √ X

Multithreading of logon actions √ √ # X √ √ √ X √ X

Policy component supports granular configuration √ √ √ √ √ √ √ √ √ X

Can execute custom code (scripts, external EXE) √ √ # √ √ √ X √ √ X

Lockdown and removal of OS and 3rd party application UI/content √ √ X √ ~ √ √ √ √ X

Healing of processes, registry keys, services and files X √ X X X √ √ √ X X

Native Action triggers

User Logon √ √ √ √ √ √ √ √ √ √

User Logoff √ √ √ √ √ X X √ √ √

Group Policy Refresh X X X √ √ √ √ X √ X

Delayed Event √ √ X √ X X X √ X √

Application Start √ √ X √ X X √ √ √ X


Smackdown


Functionality Ap

piX

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

rix

UP

M

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft

No

rska

le V

EUM

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

On

e W

ork

spac

e

VM

war

e U

EM

VM

war

e P

M

Application Stop √ √ X √ X X X X √ X

Network Connect X √ X √ √ √ √ √ X X

Network Disconnect X √ X √ X √ X √ X X

Session Reconnect X √ X √ X √ X √ √ X

Session Disconnect X √ X √ X X X X √ X

Session Lock X √ X √ X X X X √ X

Session Unlock X √ X √ X √ X X √ X

Process Start X √ X √ X X X √ √ X

Process Stop X √ X √ X X X X √ X

Application Install X X X X X √ X X X X

On Error X √ X X X # X X X X

Computer Startup √ √ X √ √ √ √ X X X

Computer Shutdown √ √ X √ √ X X X X X

Process Start – From UNC Path X √ X √ X X X X √ X

Manual / Scripted / On Schedule √ √ X √ √ √ √ √ √ √

Native policy actions

Copy files and/or folders √ √ X √ √ √ X √ √ X


Smackdown


Functionality Ap

piX

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

rix

UP

M

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft

No

rska

le V

EUM

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

On

e W

ork

spac

e

VM

war

e U

EM

VM

war

e P

M

Desktop background √ √ X √ √ √ X √ √ X

Devices X √ X √ √ √ X √ X X

E-mail profiles X X X √ √ X X √ ~ X

Environment variables √ √ X √ √ √ √ √ √ X

File-type associations √ √ X √ √ √ X √ √ X

File and Folder actions √ √ X √ √ √ X √ √ X

Folder Redirection X √ X √ √ √ X √ √ X

INI files √ √ X √ √ √ √ √ √ X

Internet Settings X √ X √ √ ~ √ √ √ X

Internet Explorer settings X √ X √ √ ~ √ √ √ X

Local users and groups √ √ X √ √ X X √ X X

Network Drives √ √ X √ √ √ X √ √ X

Shortcuts √ √ X √ √ √ X √ √ X

ODBC data sources X √ X √ √ √ X √ √ X

Power options X √ X √ √ √ X √ X X

Printers √ √ X √ √ √ X √ √ X

Regional options X √ X √ √ X √ √ √ X

Registry keys and values √ √ X √ √ √ √ √ √ X


Smackdown


Functionality Ap

piX

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

rix

UP

M

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft

No

rska

le V

EUM

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

On

e W

ork

spac

e

VM

war

e U

EM

VM

war

e P

M

Scheduled tasks √ X X X √ X X √ X X

Screen saver X √ X √ √ √ √ √ √ X

Start Menu options X √ X √ √ √ √ √ √ X

VPN and dial-up connections X √ X √ √ X X √ X X

Windows Explorer folder option X √ X √ √ √ X √ √ X

ADM / ADMX templates X √ X √ √ X --- √ √ X

Message Boxes √ √ X √ √ √ X √ √ X

Configure Microsoft Fax client X X X √ √ X X X X X

Microsoft Office File locations X √ X √ √ X √ √ √ X

Microsoft Office preferences X √ X √ √ X √ √ √ X

Microsoft Outlook preferences X √ X √ √ X √ √ √ X

Outlook Express X √ X √ √ X √ √ √ X

Remote Desktop Connection client settings X X X √ √ X √ X √ X

Windows options √ √ X √ √ √ √ √ √ X

Windows services √ √ X √ √ X X X X X

Text File Update √ √ X √ X √ √ √ X X

Text File Search X √ X X X √ X X X X

File & Folder Copy √ √ X √ √ √ X √ √ X


Smackdown


Functionality Ap

piX

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

rix

UP

M

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft

No

rska

le V

EUM

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

On

e W

ork

spac

e

VM

war

e U

EM

VM

war

e P

M

Ability to write your own Custom Policy Actions √ √ X √ X X X √ √ X

Folder mirroring X √ X √ √ X X √ # X

Folder Synchronization X √ X √ √ X X √ # X

Custom VBScript queries for Actions √ √ X X X X X X √ X

Custom JScript queries for Actions √ √ X X X X X X # X

Customer PowerShell queries for Actions ~ √ X X X X X X √ X

Only Copy ‘New’ or ‘Changed’ items, files or folders √ √ X √ X √ X √ √ X

Ability to Mirror Folder to mirror source if files are removed X √ X √ X X X √ √ X

Synchronize Folder, unlike Mirror this is a two way process X √ X X X X X √ X X

Windows 10 tiles X X # # # # # # # #

Built-in rules / native conditions

Active Directory Site √ √ X √ √ √ √ √ √ X

Client Computer Domain √ √ X √ √ # √ √ √ X

Client Computer Group √ √ X √ √ # ~ √ X X

Client Computer Organisational Unit √ √ X √ √ # √ √ √ X

Client Connection Protocol √ √ X √ X # √ √ √ X

Client IP Address / Address Range √ √ X √ √ √ √ √ √ X


Smackdown


Functionality Ap

piX

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

rix

UP

M

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft

No

rska

le V

EUM

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

On

e W

ork

spac

e

VM

war

e U

EM

VM

war

e P

M

Client NetBIOS Name √ √ X √ √ √ √ √ √ X

Client Screen Colour Depth √ √ X √ # X √ √ X X

Client Screen Resolution √ √ X √ √ X X √ X X

Computer Chassic Type (device detection) √ √ X √ X X # √ # X

Computer Domain √ √ X √ # √ √ √ √ X

Computer Group √ √ X √ √ # √ √ X X

Computer IP Address / Range √ √ X √ √ √ √ √ √ X

Computer MAC Address / Range √ √ X √ √ X √ √ X X

Computer Name (DNS / NetBIOS) √ √ X √ √ √ √ √ √ X

Computer Organizational Unit √ √ X √ √ X √ √ √ X

Operating System Service Pack √ √ X √ √ √ √ √ √ X

Operating System version √ √ X √ √ √ √ √ √ X

Operating System bit level (x86/x64) √ √ X √ √ √ √ √ √ X

Published Application Name X √ X √ √ √ √ X X X

User Group √ √ X √ √ √ √ √ √ X

User Is Administrator √ √ X √ √ √ √ √ X X

User Name √ √ X √ √ √ √ √ √ X

User Organizational Unit √ √ X √ √ √ √ √ √ X


Smackdown


Functionality Ap

piX

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

rix

UP

M

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft

No

rska

le V

EUM

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

On

e W

ork

spac

e

VM

war

e U

EM

VM

war

e P

M

User Primary Domain Group √ √ X √ √ √ √ √ X X

User Domain √ √ X √ √ √ √ √ √ X

Initial Program √ X X √ X √ X X X X

Working Directory √ X X √ X X X X X X

Session Name √ ~ X √ √ √ X √ X X

WMI Query √ X X √ √ √ √ √ X X

File / Folder match (exists, version) √ √ X √ √ √ √ √ √ X

Battery is present √ √ X √ √ X √ √ √ X

CPU speed √ X X √ √ X √ √ X X

CPU Architecture (x86/x64) √ √ X √ √ √ √ √ X X

Number of CPU’s √ X X √ √ X √ √ X X

Wireless Connected network (SSID) X X X √ X X X √ X X

Wireless Nearest access point (BSSID) X X X √ X X X √ X X

Date/time match √ √ X √ √ √ √ X X X

Disk space √ X X X √ X √ X X X

Environment variables √ √ X √ √ √ √ √ √ X

Language (user / system) √ X X √ √ √ √ √ X X

Custom LDAP query √ √ X √ √ √ √ X X X


Smackdown


Functionality Ap

piX

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

rix

UP

M

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft

No

rska

le V

EUM

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

On

e W

ork

spac

e

VM

war

e U

EM

VM

war

e P

M

MSI query √ X X X √ X √ X X X

Network connection type (VPN, Dailup etc.) X X X √ √ X √ √ X X

PCMCIA slot is present X X X X √ X √ X X X

Portable computer (Laptop) √ √ X √ √ X √ √ √ X

Terminal Server √ √ X √ √ √ √ √ √ X

Domain Controller √ √ X √ √ √ √ √ X X

RAM size √ X X X √ X √ √ X X

Registry match √ √ X √ √ √ √ √ √ X

Time range √ √ X √ √ √ √ √ X X

GP Processing Mode X √ X X √ X √ X X X

Connection type (LAN/dialup) √ X X √ √ X √ √ X X

VMware View client name √ √ X √ √ √ X √ √ X

User interaction - Yes/No response √ √ X X X X X √ X X

Custom VBScript queries √ √ X X X X X X ~ X

Custom Jscript queries √ √ X X X X X X ~ X

Counter Condition – Run Once >>Run many √ √ X √ √ √ √ √ ~ X

Ability to write your own Custom Policy Conditions √ √ X √ X √ X X √ X

Custom VBScript queries for Conditions √ √ X √ X X # X √ X


Smackdown


Functionality Ap

piX

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Cit

rix

UP

M

Liq

uid

war

eLab

s

Pro

file

Un

ity

Mic

roso

ft

No

rska

le V

EUM

Po

licyP

ak A

pp

licat

ion

Man

age

r

RES

On

e W

ork

spac

e

VM

war

e U

EM

VM

war

e P

M

Custom Jscript queries for Conditions √ √ X √ X X # X √ X

Custom PowerShell queries for Conditions ~ √ X √ X X # X √ X

Custom PowerShell queries ~ √ X X X X # X ~ X

If .. else condition √ √ X √ √ X √ X √ X

Remote Host/URL √ X X √ X X # √ X X

Session Type √ √ X √ √ √ √ √ X X

USB storage device, serial and vendor/product X X X √ X X X √ X X

Any AD User Property (User settings from the user account) √ X X √ √ √ √ √ X X

WiFi AccessPoint connectivity (BSSID) X X X X X X X √ X X


Smackdown


8.7 APPLICATION ACCESS CONTROL, SECURITY MANAGEMENT

Functionality Ap

pix

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Liq

uid

war

e La

bs

Pro

file

Un

ity

No

rska

le V

UEM

RES

On

e W

ork

spac

e

VM

war

e U

EM

Logging (product specific) √ √ √ X √ √

Application access based on Active Directory User identity √ √ √ X √ √

Application access based on Active Directory Group membership √ √ √ √ √ √

Application access based on Active Directory OU membership √ √ √ X √ √

Application access based on Novell User identity X X X X √ X

Application access based on Novell Directory Group membership X X X X √ X

Application access based on UEM Administrative Roles (RBAC) X √ X X √ X

Alerting (action send mail) X √ X X √ X

Alerting (SNMP) X √ X X √ X

Event triggering (run scripts or custom action) √ √ √ X √ √

Number of Application Instance limits X √ X X √ X

Application Termination X √ √ X √ X

Terminate Application based on change to client name or IP address X √ X X √ X

Application Clean Closure X √ X X √ X

Display warning / Dialog box √ √ √ X √ √

Blocked file archiving (move rule-blocked file to archive) X √ X X X X

Application level Network Access Control X √ X X √ X

Permit access to authorized IP addresses X √ √ X √ X


Smackdown


Functionality Ap

pix

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Liq

uid

war

e La

bs

Pro

file

Un

ity

No

rska

le V

UEM

RES

On

e W

ork

spac

e

VM

war

e U

EM

Deny access to prohibited IP addresses X √ √ X √ X

Permit access to authorized UNC paths X √ X X √ √

Deny access to prohibited UNC paths X √ X X √ √

Permit access to authorized host server names X √ X X √ X

Deny access to prohibited host server names X √ X

X √ X

Permit access to authorized TCP/UDP ports X √ X X √ X

Deny access to prohibited ports X √ X X √ X

End Point Analysis Scan X √ X X √ X

Application Usage scan X √ X X √ X

User Rights / Privilege discovery mode / reporting X √ X X √ X

Auditing and reporting of self-elevation X √ X X X X

Elevate/Reduce user right for Applications √ √ √ X √ X

Elevation/Reduce user rights to Control Panel Applets X √ √ X √ X

Elevate user rights on the internet for ActiveX / Web Installations X √ X X √ X

Elevate user rights for Application Installations √ √ √ X √ X

Self-Elevation of user rights on demand with White & Black list options X √ √ X √ X

If application is Elevated, option to not elevate Child Processes spawned from the raised Application X √ X X # X

If application is Elevated, option to not elevate Secure Dialog Boxes within the raised Application X √ X X # X

Does not create and depend on a Local Adminstrator account on the machine for Elevation of User Rights √ √ √ X √ X


Smackdown


Functionality Ap

pix

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Liq

uid

war

e La

bs

Pro

file

Un

ity

No

rska

le V

UEM

RES

On

e W

ork

spac

e

VM

war

e U

EM

Redirect a requested URL to a specified safe URL X √ √ X X X

Redirect an already open URL when context/condition changes X √ X X X X

Redirect URL based on full URL address X √ X X X X

Redirect URL based on Sub-Directory of address X √ X X X X

Redirect URL based on use of Wild Cards X √ X X X X

Time Based Application Access √ √ √ X √ X

Security/blocking approach

Whitelisting √ √ √ √ √ √

Blacklisting X √ √ √ √ √

(Certificate based) vendor trusting X √ √ X X X

User specific rights √ √ √ X √ X

Trusted Ownership / Owner of file X √ X X X X

SHA#1 Digital Signature of file X √ √ X X X

SHA-256 Digital Signature of file # √ # X X X

MD5 Digital Signature of file # √ # X X X

ADLER32 # √ # X X X

Metadata / file properties # √ # X X X

Contextual nodes/levels (block based on …)


Smackdown


Functionality Ap

pix

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Liq

uid

war

e La

bs

Pro

file

Un

ity

No

rska

le V

UEM

RES

On

e W

ork

spac

e

VM

war

e U

EM

Active Directory Site √ √ √ X √ √

Any Active Directory User property √ X √ X √ #

User √ √ √ X √ √

Group √ √ √ √ √ √

Organizational Unit (OU) √ √ √ X √ √

Device (detail; IP, computer name etc. ?) √ √ √ X √ √

Computer Chassis type √ X √ X √ X

CPU speed √ X X X √ X

CPU architecture (x86/x64) √ X √ X √ X

CPU Number of processors √ X X X √ X

Memory (minimum installed) √ X X X √ X

Screen resolution √ √ √ X √ X

Screen color depth √ √ √ X √ X

CD/DVD (present/not present) √ X X X √ X

Client IP Address/Address range (local device) √ √ √ X √ √

Client name (local device) √ √ √ X √ √

Environment variables √ √ √ X √ √

File √ √ √ X √ √

File version √ √ √ X √ √

Folder √ √ √ X √ √


Smackdown


Functionality Ap

pix

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Liq

uid

war

e La

bs

Pro

file

Un

ity

No

rska

le V

UEM

RES

On

e W

ork

spac

e

VM

war

e U

EM

USB Storage Device (Serial number/ Vendor & Product ID) X X X X √ √

Operating System bit level (x86/x64) √ √ √ X √ √

Operating System Version √ √ √ X √ √

Registry Setting & Value √ √ √ X √ √

Remote Host (Ping/Port/HTTP/HTTPS) √ √ √ X √ X

Listener Name X X X X √ X

Wireless Connected network (SSID) X X X X √ X

Wireless Nearest access point (BSSID) X X X X √ X

Session Type (Local Desktop/Remote Desktop/Remote Application) √ √ √ X √ X

Process √ √ √ X √ X

Access Time √ √ √ X √ X

Connection Type (e.g. RDP, ICA etc..) √ √ √ X √ √

Port Number X √ X X √ X

Output of VBScript √ √ X X X √

Output of PowerShell script √ √ X X X √

Output of jScript √ √ X X X √

Application / File vendor X √ √ X X X

Application / File product name X √ √ X X X

Application / File company name X √ √ X X X

Application / File description X √ √ X X X


Smackdown


Functionality Ap

pix

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Liq

uid

war

e La

bs

Pro

file

Un

ity

No

rska

le V

UEM

RES

On

e W

ork

spac

e

VM

war

e U

EM

Application / File product version (minimum and maximum) √ √ √ X √ X

Product version (maximum and minimum √ √ √ X √ √

Block/filter types/details (what to block)

Filename X √ √ √ √ √

Filename Extension X √ √ X √ √

Folder X √ √ X √ X

Drive X √ √ X √ X

Removable Drive X √ X X √ X

Signature X √ √ X √ X

Network Connection X √ X X √ X

URL Filtering X √ X X √ X

Software Installation X √ √ X √ X

Sessions X X X X √ X

Registry keys X √ √ X √ X

Scripts X √ X X √ X

Security levels

Security disabled (Unrestricted) X √ X √ √ X

Learning mode (Audit only) X √ X X √ X


Smackdown


Functionality Ap

pix

oft

Se

nse

Ap

pSe

nse

De

skto

pN

ow

Liq

uid

war

e La

bs

Pro

file

Un

ity

No

rska

le V

UEM

RES

On

e W

ork

spac

e

VM

war

e U

EM

Self-Authorize X √ X X X X

Security enabled (Restricted) X √ X √ √ X

Other

Ability to prevent malicious changes to alter file integrity X √ X X √ X

Limit # of user-application sessions X √ X X √ X


Smackdown


8.8 RESOURCE MANAGEMENT

Functionality Ap

pSe

nse

Liq

uid

war

e La

bs

Pro

file

Un

ity

No

rska

le V

EUM

RES

ON

E W

ork

spac

e

Logging (product specific) √ X √ √

Alerting (action send mail) √ X X √

Event triggering (run scripts or custom action) √ X X √

Reporting / trending √ X √ √

Fast Session Logoff (background logoff processing) √ X √ √

Timed statistics collection √ X √ √

Throttling options

Share based CPU throttling √ X # X

Share based Memory throttling √ X # X

Share based Disk throttling √ X # X

Limit based CPU throttling √ X # X

Limit based Memory throttling per user √ X # √

Limit based Memory throttling per application/process √ X # X

Limit based Memory throttling per session √ X # √

CPU reservations √ X # X


Smackdown


Functionality Ap

pSe

nse

Liq

uid

war

e La

bs

Pro

file

Un

ity

No

rska

le V

EUM

RES

ON

E W

ork

spac

e

CPU affinity √ X # X

Set CPU conditions/thresholds √ X # √

Set application specific CPU conditions/thresholds √ X # √

Optimization conditions

Window state (minimized, foreground background etc.) √ X # √

Session state (idle, disconnected, locked etc.) √ X # X

Detailed reporting on resource usage √ X # X

Other

Memory optimization √ X # √

CPU/thread optimization √ X # √

IOPS optimization X √ X X


Smackdown


8.9 LICENSE MANAGEMENT

There is a lot to write about License Management in the context of User Environment Management. In forthcoming versions of the whitepaper

more features will be analyzed and described.

Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

pN

ow

RES

ON

E W

ork

spac

e

Assign license costs per app X X √

License types

Companywide license X √ √

Server license X √ √

Per seat license √ √ √

Per named user license √ √ √

Per concurrent user license √ √ √

Per device license √ √ √

Per device license (approved by ISV/Microsoft) X ~ ~

Recognized by Gartner X √ √


Smackdown


8.10 MONITORING, AUDITING AND REPORTING

There is a lot to write about Monitoring, Auditing and Reporting in the context of User Environment Management. In forthcoming versions of

the whitepaper more features will be analyzed and described.

Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

p N

ow

DEL

L W

yse

vW

ork

spac

e

No

rska

le V

EUM

RES

ON

E W

ork

spac

e

VM

war

e U

EM

Monitoring

Session processes X √ √ X √ #

Session CPU usage X √ √ X √ #

Session Memory usage X √ √ X X #

User logon/logoff process √ √ √ √ √ #

Auditing

End-point audit information available (allow/deny access) X √ X X X #

Audit change log (generic) X √ X √ √ #

Audit change log (detailed per object) X √ X √ √ #

Review user logon and logoff process with history X √ X √ √ #

Reporting


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

p N

ow

DEL

L W

yse

vW

ork

spac

e

No

rska

le V

EUM

RES

ON

E W

ork

spac

e

VM

war

e U

EM

End-point software inventory X √ X √ √ #

End-point software usage inventory X √ X X √ #

Resultant set of user specific applied UEM settings (logging) X √ X √ √ #

Resultant set of user specific applied UEM settings (planning) X √ X √ √ #

Export configuration / settings for documentation purposes X √ X X √ #

Report application usage √ √ √ X √ #

Report sessions usage X √ √ √ √ #

Report application/license use per user √ √ X √ √ #

Report application/license use per OU X X X X √ #

Report application/license use per device X √ X X √ #

Report application/license use during a specific time frame √ √ X X √ #

Report application/license use by session state. X X X X √ #

Report users per application √ √ X X √ #

Reporting application CPU usage per user/computer/OU X √ √ X √ #

Report website usage X √ X X √ #

Report license usage √ √ X X √ #

User Analysis by IT support

Location and Devices (contextual user information) X X X X √ #


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

p N

ow

DEL

L W

yse

vW

ork

spac

e

No

rska

le V

EUM

RES

ON

E W

ork

spac

e

VM

war

e U

EM

Account Properties (UEM/Active Directory/IT Store Services) X X X √ √ #

Application Access X X X √ √ #

File Types associations X X X √ √ #

E-mail Settings X X X X √ #

Data Sources X X X √ √ #

Environment Variables X X X √ √ #

Commands (VBscript/PowerShell) X X X √ √ #

Drive and Port Mappings X X X √ √ #

Drive Substitutes X X X √ √ #

Folder Redirection X X X √ √ #

Folder Synchronization X X X X √ #

User Home Directory X X X √ √ #

User Profile X X X √ √ #

Microsoft Configuration Manager tasks X X X X √ #

Printers X X X √ √ #

User Registry/Policy X X X √ √ #

User Settings (view actual configuration) X X X √ √ #

User Settings (export configuration including registry and file/folders) X X X X √ #

User Settings restore X X X √ √ #


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

p N

ow

DEL

L W

yse

vW

ork

spac

e

No

rska

le V

EUM

RES

ON

E W

ork

spac

e

VM

war

e U

EM

Application Security log X X X X √ #

User Installed Applications log X X X X √ #

Website security log X X X X √ #

Removable Disks log X X X X √ #

File and Folder log X X X X √ #

Network Connections log X X X X √ #

User Sessions X X X X √ #

UEM Event Log X X X X √ #

Performance events X X X X √ #

Microsoft Remote Assistance Integration X X X X √ #

UEM Self-Service in a controlled User Environment

Restore profile data X √ X X √ #

Application start-up X X X √ √ #

Application desktop short-cuts X X X √ √ #

Application pin to task bar X X X √ √ #

Desktop background picture X X X √ √ #

Screensaver X X X X √ #

Swap mouse buttons X X X X √ #


Smackdown


Functionality Ap

piX

oft

Sce

nse

Ap

pSe

nse

De

skto

p N

ow

DEL

L W

yse

vW

ork

spac

e

No

rska

le V

EUM

RES

ON

E W

ork

spac

e

VM

war

e U

EM

Usage statistics X X X √ √ #

Set default printer based on location (including local printers) X X X √ √ #

View context information X X X √ √ #

Language X X X √ √ #

Configuration refresh X X X √ √ #


Smackdown


9. CONCLUSION

UEM is a key part in our environment these days, more then ever it is a component that you

can’t do without. With so many players on the market it’s hard to find the one that you need.

In this whitepaper we tried to help you understand what UEM stands for, what you already got

when you are a Microsoft customer, where to think about when looking for UEM and what the

differences are between the products.

Which User Environment Management solution is THE best?!; Good Question! As said before,

we don’t judge we compare. Which solution is the best? The best solution is the one that fits

your use case, your environment, your users and your app strategy. Together with your IT part-

ner you now have the ability to go deeper in your UEM selection process, the pieces are on the

table and they just need to know your requirements.

Key areas for your User Environment Management strategy are:

Are you investigating a tactical (point)-or strategic solution? What do you want to solve?

What’s your desktop delivery and migration strategy for Windows 7?

How do you take care of profile changes during a migration (v1 and v2)? What is your role-

back strategy when all the user and application settings are migrated to Windows 7?

Is work shifting a key driver for the Optimized Desktop? How are the roaming/flexible and

mobile users within the organization facilitated?

How do you achieve consistent and uniform user environment across Desktop, Laptop,

VDI, Terminal Services in managed and un-managed scenarios?!

How do you design, control and maintain logon scripts and user profiles? Are you facing

long logon times to your environment and applications? Would your end-users benefit

from a Profile clean-up? Are you facing profile corruption?

How do you handle all the application and user preferences such as printers, file-types,

drive mappings, access to applications, data, and network resources and application set-

tings? How many people really understand the complex and often legacy internal scripts?

How agile are these scripts and settings?

Is Application Virtualization in scope, how do you handle application preferences in a

mixed OS and Application, and Desktop Delivery infrastructure?

Do you need context awareness? Based on user/role, device, location and various settings

access to application resources is controlled and enforced when needed.

What is your Application and Desktop Delivery solution in BYOC scenarios? How do you

deliver applications to these (un-managed) devices? What is the role of UEM?

Does the end-user need the ability to install and update applications? Is User Installed Ap-

plications functionality needed? Does the user have the correct privileges to install, or up-

date software?

How do you control, administer, audit and report which user has access to which applica-

tion from specific devices or locations? How do you control application usage, user rights

management?


Smackdown


What solutions do you use to make sure you’re compliant? Can you measure, track and

enforce licensing? How do you currently license per device applications such as Microsoft

Project and Microsoft Visio?

Are billing, license-management, reporting and/or charge-back of the delivered applica-

tions needed?

Do you want to offer a Self-Support tool to your users to reduce the amount of Helpdesk

calls?

Does the User Environment Management solution need to be proven and mature? What is

your definition of proven?

Is “Layering the cake” / separation of Operating System - Application - and User Prefer-

ences part of the overall desktop strategy?

Bottom Line: Does IT have focus on your end-user?!


Smackdown


10. CHANGE LOG

Date June 2011 v1.0 - Initial Release

Date June 2011 v1.0.3 – Minor layout fixes + minor RES fixes in tables.

Date June 2011 v1.0.4 – Minor layout fixes

Date November 2011 v1.1 – Community and vendor feedback

Re-read and reviewed the complete document

Removed some typographical errors

Added information in chapter 1 to highlight objectives, suggestions and

improvements

Introduced the term business-consumer besides of end-user

Added chapter 3.3, ‘Layering the cake and Application Delivery’

Added information in chapter 3.4, ‘User Centric Computing’

Updated chapter 3.7, ‘Why UEM’

Updated chapter 3.8, ‘UEM Functionality’; different naming to stretch the

functionality and Desktop Transformation

Updated Chapter 3.9, ‘UEM Strategy’ and added new strategic questions.

Updated chapter 3.11, ‘What’s a name’ and added table ‘Overall terms and

definitions’

Updated chapter 3.12, ‘FAQ’

Updated chapter 4.2, ‘User Personalization’ header and small items in text

Updated chapter 4.3, ‘Application Access Control’ header and small topics in text

Updated chapter 4.5, ‘Licensing’ - small topics in text

Updated chapter 4.6, ’Monitoring, Auditing and Reporting’ small topics in text

Updated chapter 4.7, ‘Application Delivery’ in context of UEM;

Updated chapter 5.1 and 5.2 to highlight the goal and focus of the vendor solution

matric

Updated chapter 5.2, ‘vendor solutions matrix’

Updated chapter 5.3.2, AppSense functionality - License Control

Updated chapter 5.5, ‘Immidio’, introduction, functionality and pricing

Updated chapter 5.9, ‘RES Software’

Updated chapter 5.9.6, ‘RES Dynamic Desktop Studio’

Updated chapter 6.1, ‘Introduction’ and ‘vendor solutions matrix’

Updated chapter 6.2, ‘Product version’

New features added:

o Management Server / UEM solution, Database instance officially support

20K concurrent connections

Features updated, Generic Features and Functionality

o Management Server / UEM solution. Server instance officially supports

X.XXX concurrent connections


Smackdown


o Licenses, Education license program

o Support and Community; 10+ of public available enterprise (50K CCU)

references in EU using UEM solution

o Support and Community; Professional Services Organization

o Client (endpoint) Operating System support; Windows 8

Features updated, User Profile Management

o Action triggers, Process Start – From UNC Path

o Native policy actions, Text File Update

o Native policy actions, Text File Search

o Native policy actions, File & Folder Copy

o Built-in rules / native conditions, Counter Condition – Run Once >>Run

many

Features updated, Application Access Control

o Display warning / Dialog box

o Auditing and reporting of self-elevation

o Elevate/Reduce user right for Applications

o Elevation/Reduce user rights to Control Panel Applets

o Elevate user rights on the internet for ActiveX / Web Installations

o Elevate user rights for Application Installations

o Self-Elevation of user rights on demand with White & Black list options

Features updated, License Management

o Per device license (recognized and approved by ISV /Microsoft)

Features changes: AppSense

o Concurrent user/desktop licenses

o Per device licenses

o Enterprise/site license program

o Academic/Education license program

o Service Provider license program

o Integration with 3rd party systems management solutions

o Scripting (none PowerShell) support and command-line interface

o Datastore transfer Protocol - TCP / configurable and supported

o Client/User Session EnvironmentAgent technology, Service (hooks

WinLogon)

o Lockdown and removal of OS and 3rd party application UI/content

o Built-in rules / native conditions, Operating System Service Pack

o Built-in rules / native conditions, Operating System version

o Built-in rules / native conditions, User Domain

o Built-in rules / native conditions, File / Folder match (exists, version)

o Built-in rules / native conditions, Date/time match

o Built-in rules / native conditions, Environment variables

o Built-in rules / native conditions, Terminal Server

o Built-in rules / native conditions, Registry match

o Built-in rules / native conditions, Time range


Smackdown


o Built-in rules / native conditions, User interaction - Yes/No response

o Block/filter types/details (what to block), URL Filtering

o Block/filter types/details (what to block), Software Installation

o Block/filter types/details (what to block), Sessions

o Block/filter types/details (what to block), Registry keys

o Block/filter types/details (what to block), Scripts

o Throttling options, Share based Memory throttling

o Throttling options, Limit based Memory throttling per user

o Monitoring, Session processes

o Monitoring, Session CPU usage

o Monitoring, Session Memory usage

o Reporting, Resultant set of user specific applied UEM settings (planning)

o Reporting, Report sessions usage

o Reporting, Report application/license use per user

o Reporting, Report application/license use per OU

o Reporting, Report application/license use per device

o Reporting, Report application/license use during a specific time frame

o Reporting, Report application/license use by session state

o Reporting, Report users per application

o Reporting, Reporting application CPU usage per user/computer/OU

o Reporting, Report website usage

o Client/User Session Environment

o Agent technology, Service

o Agent technology, Service (parent process)

o Agent technology, Kernel mode filter driver

o Command-line parameters

o UPM, Migrate from competing products

o UPM, Migrate individual apps across versions

o Built-in rules / native conditions, Domain Controller

o Block/filter types/details (what to block), Scripts

RES Software Features updated

o Management Platform, Datastore transfer Protocol – SMB

o Management Platform, Datastore transfer Protocol – CIFS

o Agent technology, Service

o Agent technology, Kernel mode filter driver

o User Profile Datastore, Datastore transfer Protocol - SMB

o User Profile Datastore, Datastore transfer Protocol - CIFS

o User Profile Datastore, Built-in replication/synchronization

o User Profile Datastore, Parallel processing of logon actions

Immidio FlexProfiles Fetures update

o Personalisation loaded on demand (at app launch)

Added information in chapter 7, ‘conclusion’

Added chapter 8, ‘change log’


Smackdown


Date November 2011 v1.11

Added VMware Persona Management vendor information in Chapter 5.14

Date January 2012 v1.2

Review and editing of this document has also been performed by Jeremy Moskowitz, Group

Policy MVP.

Grammar and spelling check of complete document

Updated chapter 3.9, UEM Strategy

Updated chapter 3.12, FAQ

Updated chapter 4.1.1, ‘User Profiles 101’

Updated chapter 4.1.4, ‘Where does Group Policy and GPPrefs fit in with UEM’

Updated chapter 5.2, ‘Vendor matrix‘ with Policy Pak Software and updated Triceat

and Scense

Updated chapter 5.7, ‘Microsoft’

Added chapter 5.8, ‘PolicyPak Software’

Updated chapter 5.10.3 and 5.10.6, ‘RES Software’

Updated 5.12, ‘Tricerat’

Updated chapter 6.1, ‘Introduction’ and ‘vendor solutions matrix’ with Policy Pak Soft-

ware and Tricerat Simply Suite

Updated chapter 6.2, ‘Product versions’

Updated chapter 6.5, ‘Generic Features and Functionality with Policy Pak Software

Updated chapter 6.6, ‘User Profile Management’with Policy Pak Software

Updated chapter 6.7, ‘User Personalization’ with Policy Pak Software

Updated chapter 6.5, New features

o API Interface (public) and documented

o 24 x 7 support, additional pricing

o 24 x 7 support included in base license

o Microsoft SQL Server 2008R2, built-in support for native SQL Mirroring

o Software and Agents available as 32bits component

o Software and Agents available as 64bits component, native 64 bits compo-

nents


o Native policy actions, Ability to write your own Custom Policy Actions

o Native policy actions, Custom VBScript queries for Actions

o Native policy actions, Custom PowerShell queries for Actions

o Native policy actions, Only Copy ‘New’ or ‘Changed’ items, files or folders

o Native policy actions, Ability to Mirror Folder to mirror source if files are re-

moved

o Native policy actions, Syncronize Folder, unlike Mirror this is a two way pro-

cess

o Built-in rules / native conditions, Ability to write your own Custom Policy Con-

ditions


Smackdown


o Built-in rules / native conditions, Custom VBScript queries for Conditions

o Built-in rules / native conditions, Custom Jscript queries for Conditions

o Built-in rules / native conditions, Custom PowerShell queries for Conditions

o Built-in rules / native conditions, Custom PowerShell queries

o Built-in rules / native conditions, If .. else condition

o Built-in rules / native conditions, Remote Host/URL

o Built-in rules / native conditions, Session Type

o Built-in rules / native conditions, USB storage device, serial and vendor/prod-

uct

o Built-in rules / native conditions, Any AD User Property


o If application is Elevated, option to not elevate Child Processes spawned from

the raised Application

o If application is Elevated, option to not elevate Secure Dialog Boxes within the

raised Application

o Does not create and depend on a Local Adminstrator account on the machine

for Elevation of User Rights

o Redirect a requested URL to a specified safe URL

o Redirect an already open URL when context/condition changes

o Redirect URL based on full URL address

o Redirect URL based on Sub-Directory of address

o Redirect URL based on use of Wild Cards

o Time Based Application Access

o Contextual nodes/levels (block based on …) Connection Type (e.g. RDP, ICA

etc..)

o Contextual nodes/levels (block based on …) Port Number

o

Features updated 6.5, Generic Features and Functionality: RES Software

o Database instance officially support 20.000 concurrent connections

o Integration with 3rd party PC-lifeCycle management solutions

o Scripting (not including PowerShell) support and command-line interface

o Professional Services Organization - 24h multi-lingual support

Features updated 6.5, Generic Features and Functionality: Appsense

o Web-based management interface

o Delegation of control, granular delegated administration roles

o 24 x 7 support included in base license

Features updated 6.6, User Profile Management: RES Software

o Last write wins - Per Application

Features updated 6.6, User Profile Management: Tricerat

o Datastore transfer Protocol – SMB

o Datastore transfer Protocol - DCOM

o Offline (Cached) Mode

Features updated 6.6, User Profile Management: AppSense


Smackdown


o Application Virtualization support, VMware ThinApp

Features updated 6.7, User Personalization, Application and Desktop Management,

RES Software

o Parallel processing of logon actions

o Native Action triggers, Process Start

o Native policy actions, File & Folder Copy


Tricerat

o Can define an application as a global object

o Built-in rules / native conditions, Published Application Name


Appsense

o Extendable with 3rd party tools

o Built-in rules / native conditions, Vmware View client name

Tricerat added to chapter6.8 ,Application Access Control, Security Management

Tricerat added to chapter6.10, License Management

Date October 2013 v2.0

Review and editing of this document has also been performed by Jeremy Moskowitz, Group

Policy MVP.

Added whole chapter (5.8) on UE-V

Updated chapter 5.2, ‘Vendor matrix‘

Updated chapter 5.5 and 6.4 (Generic Features and Functionality) for ‘Immidio’

Updated chapter 5.7 on Group Policy, Group Policy Preferences and AGPM

o Added AGPM update for clairty

o Expanded upon Group Policy Preferences’s Item Level Targeting

Updated chapter 5.10 on PolicyPak Application Manager

Updated chapter 6.1, ‘vendor solutions matrix’

Features updated 6.4, Generic Features and Functionality: Immidio Flex+

o Microsoft Management Console Interface

o Support low bandwidth/high latency WAN connections

o Scripting (not including PowerShell) support and command-line interface

o Microsoft Group Policy-based management for agent/client settings

o API Interface (public) and documented

o First year support and maintenance included in license

o 24 x 7 support, additional pricing

o Service Provider license program

o Official training classes available

o UEM technology is proven; the solution is being used for 1+ year in enterprise

production environments. 10K+ endpoint, various deployment scenarios.

o 10+ of public available enterprise (10K CCU) references in EU using UEM solu-

tion


Smackdown


o Professional Services Organization – Business hours (CET) multi-lingual support

o Technical Account Manager (TAM) available

o Datastore transfer Protocol - TCP / configurable and supported

o Datastore transfer Protocol - Database specific

o Datastore transfer Protocol – DCOM

o Management through database engine

o TCP/IP v6

o Software and Agents available as 32bits component

o Software and Agents available as 64bits component, native 64 bits compo-

nents

o Microsoft Windows 8 (x86)

o Component with elevated user rights

o Citrix XenApp

o Microsoft RDSH – RemoteApp (native or MSI)

o Microsoft Application Virtualization, App-V (native or MSI)

o Symantec Workspace Virtualization (native or MSI)

o VMware ThinApp (native or MSI)

o Citrix XenApp Streaming

o Microsoft MSI

Features updated 6.5, User Profile Management: Immidio Flex+

o Profile redirection/ streaming / virtualization

o Migrate individual apps across versions

o Streamed Profiles

o Management through database engine

o Automatically capture application personalization

o Last write wins - Per Session

o Pre-cache personalisation on new machines

o Symantec Workspace Virtualization

o Novell ZENWorks / Spoon.Net

Features updated 6.6, User Personalization, Application and Desktop Management:

added Immidio Flex+

Vendor Solution Description added/updated : 5.8 VUEM -> Norskale V-UEM

Product added/updated 5.2 : VUEM -> Norskale V-UEM

Removed Tricerat from detailed feature matrix

Added tons of new features and updated the text overall

Date February 2013 v2.1

Updated LiquidWare Labs Solution description and mapped the features with latest

ProfileUnity version

Updated Microsoft UE-V 2.0

Updated PolicyPak Application Manager


Smackdown


January – April 2016 – version 16.01

Too many changes in the document after two year, so only highlights of changes will be listed

here for the moment, for the next version a more detailed change log will be available.

Naming

Scense renamed to Appixoft

Immidio renamed to VMware UEM

VMware PM added to tables

RES Software workspace renamed to RES ONE workspace

Microsoft has been combined in one column for readability.

General

Moved all vendors in alphabetic order

Generic features and functionality

VMware PM added o the table

Renamed Quest to DELL Wyse

Features of products have been added or changed.

User Profile Management


User Personalization, application and Desktop management


Application Access Control, security management

VMware UEM added in the matrix

Liquidware labs added in the matrix

Norksale added in the matrix


Resource Management


Norskale added to the matrix

Liquidware labs added to the matrix

License Management

Features of products have been added or changed

Monitoring, auditing and reporting



Smackdown


PQR B.V.

Rijnzathe 7

3454 PV De Meern

The Netherlands

Tel: +31 (0)30 6629729

E-mail: [email protected]

www.PQR.com

[email protected]

http://www.pqr.com/


as

as

Documents

User Environment Management (UEM) - Rob Beekmans · 7.4 AppSense ... pendent overview of the User Environment Management (UEM) solutions and curious about the different features-