One advantage (and limitation) of CIT's Virtual Desktop service is that they limit what applications you can run to the ones they host. (You can package apps for them to host.)
See also
- Consider: Migrate select staff to CIT's Desktop Everywhere
- Evaluate CIT's Desktop Everywhere on Dell Wyse all-in-one system
AWL: Application White Listing
VDI service | Today's staff desktops | Desktops with white-listing |
---|---|---|
100% whitelisting. If CIT hasn't allowed it, it won't run.
| If Admin access required for an install, most end-users can't install new software. However, if software can just be used without installation, user can run it. For example, Putty.exe will work. | Can run in audit-only mode to first learn of potential impact. See below idea for more. |
Idea: Run whitelisting on existing systems which we believe could be moved to VDI
This would be a way to reality-check wisdom of such a move.
- No other changes would be necessary. Users keep their systems as they are, with their current applications and set-ups, and using their current Windows OS version.
Also, this can work for Mac OS, if tools are found for that operating system. (VDI is Windows-only.)
Phases
Phases can help us think about advantages of this approach:
Phase 1: Learn tools available and what apps are being used today
- Can run in audit-only mode to first learn of potential impact.
Phase 2: Have users approve or reject any non-listed apps
- Chemistry IT then reviews all approved ones for consideration of adding to the white list.
Phase 3: Perhaps not do, but possible: Only allow whitelisted applications to work
- Users have to wait until Chemistry IT approves any new application requested.
Resources
- http://www.faronics.com/products/anti-executable/enterprise/
- https://technet.microsoft.com/en-us/library/hh831440.aspx
- https://technet.microsoft.com/en-us/library/dn986865(v=vs.85).aspx