Abbreviations:
- BYOC/D - Bring Your Own Computer/Device
- UCL – University College London
- QAS – Quest Authentication Services
- AppV – Application Virtualization
- RDP – remote Desktop Protocol
I’m currently sharing views and experience with UCL IT guys about a “New Desktop” project. I have been active for years in providing the best possible desktop experience to my users at Microbiology ETH by delivering fully managed, secure, sustainable, and economically efficient desktop and notebook environment while preserving flexibility and performance.
I just came upon a recent blog post by Brian Madden, “The consumerization of IT: Why most vendors get it wrong, and why it’s a real challenge today. (Part 1)” that leads me to put my convictions in question and rethink parts of my concepts about user experience in our IT environment.
Managed and unmanaged client environments
Companies have usually a strong line of command and IT clients have been typically deployed in a controlled way: fully managed PCs, locked-down desktops, perimeter protection, limited access through VPN and network access control…
In higher education, academic freedom and autonomy of the departments have primacy over line of command and central management. Often only shared services are provides centrally in a “take it or let it, we don’t care” philosophy. Most universities end up with an organically grown mix including full, partially, and not managed client environments".
As an evangelist of fully managed IT environments, I used to emphasize the following arguments:
- economic efficiency through standardization
- better, richer overall offering and user experience
- releasing researchers and students from the burden of installation, maintenance, and troubleshooting, so they really can focus on their core duties.
- sustained security and reliability
All the arguments are still valid, but the concept is now confronted with a totally new reality…
Emergence of a new IT reality
With SaaS and cloud technology, it has never been so easy and convenient for a user to circumvent or bypass the corporate IT environment, and use his/her own PC, Mac, iPad, ChromeBook (the BYOD – Bring Your Own Device generation) to achieve all the tasks she is expected to fulfill for the company, her PhD Thesis, or her lab supervisor. Equipped with a set of cloud or SaaS services such as join.me, Dropbox, Google Apps, live@edu and Office 365, Skype, SlideShare…., using corporate services over HTTPS (Exchange, Lync, RemoteApp Server Web Access…), the user can nearly completely free himself from locked down corporate IT. It is no more possible to block them, they know how to use the new technology. “I will complete all my tasks, I will do what you expect me to do, I will even surprise you, but I do not need your locked down PC for that. So please do not disturb me with that, do not even try, I’m going to use whatever I want and choose the tools I like best.” According to Brian Madden, “the consumerization of IT is not about BYOD. The consumerization of IT is about the fact that today’s users can do whatever they want, and you in IT can’t stop them even if you wanted to.”
For the faculties, departments or labs that never had a professionally managed IT environment, the emergence of this new IT world virtually opens “access to more technology than you ever fantasized about just a few years ago”. The adoption of these new cloud services is happening in a dazzling pace, and the evolution is even more chaotic as in the old world. That said, the new world does not bring all what a corporate IT environment should have brought them (yet).
Where a high quality, managed client environment is is place (companies, some labs and groups in the faculties), the consumerization of IT phenomenon is more difficult to embrace, it is seen more as a threat than as a chance, or just as an edge emergence for geeks or kids.
The client environment I am delivering at Microbiology ETH is fully managed: all computer are standard, deployed automatically, joined in the AD domain, configured with group policies, UAC is forced, patched and monitored by WSUS and Avira servers. They are behind my firewall, get access to my VLANs through machine certificate authentication (IEEE802.1x) in the wired and WIFI infrastructure. Even VPN to my VLANs is only possible for fully managed machines that present the AD-auto-enrolled machine certificate. Application are provisioned and maintained with App-V and a self-service kiosk which provides a high degree of flexibility to the end user without the need for an admin account. Deployment is fast, easy, flexible, and inexpensive with WDS and MDT. Notebook users can ask for a local admin account, but are taught to use it with UAC and not to run admin sessions. Roaming Profiles, folder redirections, offline file, previous versions, App-V bubbles, VM sandboxes for testing, all these building blocks make my environment stable, rich, efficient to manage, and flexible for the user.
SO why should I care about consumerization of IT at all?
Risks of ignoring
If I stick to my fully-managed-only concept, I will have to keep pace with the tremendous SaaS/Cloud offering without being able to provide the same degree of freedom and flexibility.I will need a lot of resources for implementing, maintaining new services as well as a lot of energy in convincing my users to use my fantastic services. And at the end of the day, my users will use what they like to use: dropbox, Gmail & co. If I’m totally closed and narrow-minded, I will end up with making my Institute attracting and retaining the best talent.
Risks of adopting
Well, the risk of embracing consumerization of IT is obvious: It is to consider that Bring-your-Own-Device and Just-Use-Technology-You-like can be accepted in an uncontrolled way. You will end up with a chaotic set of work methodologies, compatibility barriers, reduced shared knowledge, and last but not least loss of control of company data and integrity & security issues. The risks are not in adopting, but in considering that consumerization of IT in the enterprise can replace the strong corporate IT services.
How to make use of it
In fact, consumerization of IT should complements, enhances your managed IT environment, making it more open, more fun, if you do it in a controlled way.
I’m going the consider the following mind-shift for the Institute I’m managing at ETH:
- Continuing effort in providing a solid, fully managed client environment – the Managed World
- Making the this Managed World more friendly for the BYOD generation – the Unmanaged World
The principles that will guide this shift include:
- You can only take responsibility over what you can control. That means endorsing responsibility for the Managed World only.
- BYOD and IT consumerization cannot replace the portfolio of fully managed services, but just enhance them in making it more user friendly.
- Being open to and Supporting BYOD and SaaS/Cloud services helps making the Institute environment more attractive to “think different” people.
- Data integrity, security, and business continuity have the primacy over all other considerations.
Features of the Managed World (all already in place)
- Fully managed lifecycle of the client desktop
- Client computer fleet concept
- MS-Windows latest version x32 and x64
- LiteTouch OS Deployment (MDT/WDS)
- Active Directory Domain joined
- Software provisioning with App-V
- Security
- Update/Patching
- Patch level and security monitoring
- Central management and configuration with Group Policies
- Microbiology VLAN, FW-protected
- Exclusively IEEE802.1x LAN/WLAN authentication with auto-enrolled Domain Machine Certificate
- VPN access to the Institute Network only with auto-enrolled Domain Machine Certificate
- User experience
- Anytime/everywhere access to all Institute and ETH resources with any managed client
- No binding to the device / device-independent, full roaming work-style / back to production in minutes in case of device crash
- Roaming Profiles, Redirected Shell Folders
- Offline Files synchronization
- Same login, profile, and experience on any desktop, workstation, notebook, tablet, and scientific acquisition device
- Convenient offline work
- Access to print server, home and group folders, scientific shares
- Previous versions (4 shadow copies daily)
- Full daily backup of all data, profiles and settings (server-based) with de-duplication
- Access to self service AppV kiosk (300+ Apps)
- Single sign-on to all services (Exchange, SharePoint, Linux servers (QAS), RemoteApp and RemoteDesktop Farm, file shares…)
- Fast search on all users folders
- Fast login, good and stable overall performance
- Full support of devices and services
- PhD managed Notebook inexpensive offering.
- Access to all private Cloud/SaaS tools and services, directly over HTTP or with the required client provided by AppV (Dropbox, Skype, TeamViewer)
Features of the Unmanaged World
- New - BYOD officially welcome: Private Mac, iPad, ChromeBook, Notebooks, Tablets, … welcome
- BYOD devices get an IP address in a network outside the Virtual Private Zone of the Institute. BYOD dock in the public ETH docking network of ETH. SLL user authentication.
- No Active Directory Domain joining
- Zero managed configuration, zero monitoring
- Microbiology IT resources accessible:
- New - Scientific file shares (NAS)
- New - Printers (direct access over IP or HTTP, no print server)
- New - SharePoint Intranet
- New - RemoteApp and Remotedesktop Server Farm
- New - Access to all features of the Managed World from BYOD through Terminal Services (RDP), but through this channel only.
- No backup service for local data on BYOD
- Zero support of the private BYOD.
This is is how I see embracing “consumerization of IT” in a research Institute in higher education, today. This of course not a definitive concept. Your comments are welcome!