One advantage (and limitation) of CIT's Virtual Desktop service is that they limit what applications you can run to the ones they host. (You can package apps for them to host.)
See also
- Consider: Migrate select staff to CIT's Desktop Everywhere
- Evaluate CIT's Desktop Everywhere on Dell Wyse all-in-one system
AWL: Application White Listing
| VDI service | Today's staff desktops | Desktops with white-listing | Notes and comments |
|---|---|---|---|
100% whitelisting. If CIT hasn't allowed it, it won't run.
| If Admin access required, can't install. Otherwise, anything is allowed. Ex: Putty.exe will work. | Can run in audit-only mode to first learn of potential impact. |
Idea: Run whitelisting on existing systems which we believe could be moved to VDI
This would be a way to reality-check wisdom of such a move.
Phases
Phases can help us think about advantages of this approach:
Phase 1: Learn tools available and what apps are being used today
- Can run in audit-only mode to first learn of potential impact.
Phase 2: Have users approve or reject any non-listed apps
- Chemistry IT then reviews all approved ones for consideration of adding to the white list.
Phase 3: Perhaps not do, but possible: Only allow whitelisted applications to work
- Users have to wait until Chemistry IT approves any new application requested.
Resources
- http://www.faronics.com/products/anti-executable/enterprise/
- https://technet.microsoft.com/en-us/library/hh831440.aspx
- https://technet.microsoft.com/en-us/library/dn986865(v=vs.85).aspx