User Installed Applications – won’t they just cause me a huge headache?

November 12, 2009

Do we really want to allow our users to have the ability to self provision / install applications? Won’t this just cause mayhem and anarchy? How will we ensure that we are licensed to install the applications that the users choses to install?

These are a small sample of some of the obvious and key issues that the IT administrator needs to seriously consider when thinking about allowing the user to install applications of their own choice.

Just this week, @HarryLabana asked the following question via twitter – “Are user installed apps a compliance nightmare waiting to happen?”. A very sensible question that effectively is asking, “WHY should we even consider allowing the user to install their own stuff?”

To labor on the need briefly, it is relatively simple as to why we need to cater for it (we don’t need to agree with it but we do have to accept it to a certain degree :-( ). Bottom line is that for years, there has been a challenge with packaging all the applications required by a user to conduct their daily duties. This is a challenge that traditional desktop managers have had for years, and now with desktop virtualization it is perhaps getting more noise. Unfortunately it is not going away any time soon, in fact may be getting worse as time progresses and the number of applications increases. If we choose to not allow users to install their own stuff, then how do we ensure that the user does not fall foul downstream of an application not being available and hence their inability to conduct their work? An obvious example would be the corporate user who uses Microsoft Live Meeting to conduct online meetings, who has a meeting booked with an organization that uses Citrix GoToMeeting. The GoToMeeting client would not be installed, and hence the user would only find this out 5 to 10 minutes before the session, and hence would be unable to join :-(

@coldroyd wrote about the various user installed applications a month or so ago and is well worth a read –

So, now we have accepted that we need to cater in some form or another, we can move on to consider HOW. The key aspects to delivering users with the ability to install their own apps is CONTROL – it would be insane (most would argue) to allow ALL users with the ability to install their own stuff. Very quickly the enterprise would find themselves in a situation where literally 1000’s of applications have found their way in, and are posing a serious legal issue. It is [mostly] true that a typical enterprise using laptop devices has this very issue today, since the majority of users of laptop devices are administrators of them. There is usually a solid business reason [from years gone by] as to why the user is an administrator, whether that reason being a requirement to install printer drivers [pre Vista] or something like that. Typically, once a user has admin rights, it is nigh impossible to get them back again :-(.

Arguably this is all part of something called “User Rights Management” as well as “Personalization”. Both of these are clearly becoming markets in their own right with vendors appearing in it regularly, and many other vendors morphing their solutions to fit the model(s) also ;-)

In order to deliver against the need, but to do so in that all important controlled manner, we need to enable / allow for the following (there will be more – these are just the key areas);

  • Only allow certain users to install apps (AD group based / end point device based)
  • Only allow those users to install from certain [internal] network location(s) – that way the enterprise can control exactly WHAT a user who is authorized to install can install
  • Only allow those users to install applications from certain vendors
  • Full reporting is required to enable the administration team to be able to see what is out there in a quick snapshot
  • Full administrative override to enable rapid removal of any applications as necessary

The overriding point here is simple – user installed applications is NOT for everyone, but it will be for a significant portion of the user population, so we need to provision for it in some way – simply saying no will not cut it.