Do we really want to allow our users to have the ability to self provision / install applications? Won’t this just cause mayhem and anarchy? How will we ensure that we are licensed to install the applications that the users choses to install?
These are a small sample of some of the obvious and key issues that the IT administrator needs to seriously consider when thinking about allowing the user to install applications of their own choice.
Just this week, @HarryLabana asked the following question via twitter – “Are user installed apps a compliance nightmare waiting to happen?”. A very sensible question that effectively is asking, “WHY should we even consider allowing the user to install their own stuff?”
To labor on the need briefly, it is relatively simple as to why we need to cater for it (we don’t need to agree with it but we do have to accept it to a certain degree :-( ). Bottom line is that for years, there has been a challenge with packaging all the applications required by a user to conduct their daily duties. This is a challenge that traditional desktop managers have had for years, and now with desktop virtualization it is perhaps getting more noise. Unfortunately it is not going away any time soon, in fact may be getting worse as time progresses and the number of applications increases. If we choose to not allow users to install their own stuff, then how do we ensure that the user does not fall foul downstream of an application not being available and hence their inability to conduct their work? An obvious example would be the corporate user who uses Microsoft Live Meeting to conduct online meetings, who has a meeting booked with an organization that uses Citrix GoToMeeting. The GoToMeeting client would not be installed, and hence the user would only find this out 5 to 10 minutes before the session, and hence would be unable to join :-(
@coldroyd wrote about the various user installed applications a month or so ago and is well worth a read – https://appsense.wordpress.com/2009/10/05/what-is-a-user-installed-application-and-why-should-we-care/
So, now we have accepted that we need to cater in some form or another, we can move on to consider HOW. The key aspects to delivering users with the ability to install their own apps is CONTROL – it would be insane (most would argue) to allow ALL users with the ability to install their own stuff. Very quickly the enterprise would find themselves in a situation where literally 1000’s of applications have found their way in, and are posing a serious legal issue. It is [mostly] true that a typical enterprise using laptop devices has this very issue today, since the majority of users of laptop devices are administrators of them. There is usually a solid business reason [from years gone by] as to why the user is an administrator, whether that reason being a requirement to install printer drivers [pre Vista] or something like that. Typically, once a user has admin rights, it is nigh impossible to get them back again :-(.
Arguably this is all part of something called “User Rights Management” as well as “Personalization”. Both of these are clearly becoming markets in their own right with vendors appearing in it regularly, and many other vendors morphing their solutions to fit the model(s) also ;-)
In order to deliver against the need, but to do so in that all important controlled manner, we need to enable / allow for the following (there will be more – these are just the key areas);
- Only allow certain users to install apps (AD group based / end point device based)
- Only allow those users to install from certain [internal] network location(s) – that way the enterprise can control exactly WHAT a user who is authorized to install can install
- Only allow those users to install applications from certain vendors
- Full reporting is required to enable the administration team to be able to see what is out there in a quick snapshot
- Full administrative override to enable rapid removal of any applications as necessary
The overriding point here is simple – user installed applications is NOT for everyone, but it will be for a significant portion of the user population, so we need to provision for it in some way – simply saying no will not cut it.
AppSense 
Nice article
Could you comment on how you feel the flood of new Adobe AIR apps, Silverlight apps and applications delivered through the browser (RIA included and excluded for discussion sake) affect the way we control, deliver and secure our end point apps?
I think it’s easy to discount Adobe AIR as a great way to deliver a twitter client, but I am seeing more and more business oriented apps that will run on my mac as well as my windows instance through AIR/FLEX and Silverlight.
It is different with Silverlight I am hearing about large companies porting legacy code to Silverlight.
Great point Eric and thank you btw. A little off the path that I was taking with the posting, although in fairness, very closely related :-)
As we begin to see such applications appear then we will doubtlessly need to provide mechanisms to enable control options over the access (and usage of) to those applications. As you rightly state, we are going to see business use increase for such applications over time and we will need to be ready. My initial knee jerk comment however would be one such as “when will we really see such apps?” since this has delivery model for applications been threatened for almost as long as I can remember.:-) AppSense Appliction Manager and AppSense Environment Manager are already perfectly suited to deal with this as and when the need arises.
Interestigly this poses us with another question – do we need to support other operating environments such as your mac? Presently we are a Windows house with diatant plans t look further afield – mabe just maybe, we ave found the business case to do tht sooner rather than later? Your thughts would be appreciated…
Thanks,
Simon.
Hi Simon-
Timing is everything isn’t it! You’re right, we have been hearing about operating system agnostic code for a long time. Java was a good concept, and it is virtualization by many definitions, but in implementation it was generally awful in my experience.
I agree AppSense is very well positioned for Windows environments, and I would not build an environment without it. But what happens when the applications themselves become the environment? While I was pontificating about this a few months ago, being contentious as usual, I ran across a video of a Silverlight deployment the US Army did converting legacy Windows-only code to web enabled code in a matter of months. This made me really take notice.
So do we always look to the operating system layer as the proper place to implement controls and personalization? I’m not sure we have much choice, but maybe we do. Adobe AIR apps are incredibly easy to install and undoubtedly we will see attacks written for this platform as admins allow this platform to run in the enterprise.
Currently Adobe is experiencing incredible adoption rates. So do we not allow applications like Flash, Silverlight, and AIR/FLEX, or do we figure out how each of these platforms work every time a new one comes out, is updated or patched? Alternatively, do we rely on the environment designers to put proper and evolving security mechanisms in place? I doubt it. Adobe themselves claim the AIR platform is secure but only when the applications that run on-top of it are written correctly and with the right intentions…huh or duh… not sure which?
Do we take others seriously too? Like WINE? I run some apps for administration in WINE. I know it’s a windows emulator, not a new delivery mechanism, but will it ever get good enough to allow admins a broader choice in operating systems? More likely I see applications slowly being ported over to a web delivered format, and eventually legacy- Windows applications that are difficult to port to a RIA, relegated to SBC for its execution environment.
This is very interesting: http://www.theregister.co.uk/2009/09/24/silverlight_to_linux/
I’m just not sure at what layer we need to provide those controls. But I have some ideas on it! I started talking to Jon Wallace about it the other night. One way to think about this is 7 or 8 years ago I knew some admins that took a whitelist only approach to the internet. Do we need to consider a broader content, filter-type approach like bluecoat and others offer for application communication behavior, not website content? I know many of these already filter for av traffic or executable code but what about if the executable code is allowed like AIR?
I drew out a couple whiteboards at home to sort this out, you know you are a nerd when you are white-boarding at home!
-ESP
Here is the US Army app I was talking about:
http://channel9.msdn.com/posts/AdamKinney/US-Army-using-Silverlight-for-Resourcing-Troops/