Citrix and Intel bring Virtualization to the Desktop06 May
Desktop Ownership and Management Will Change Drastically
Citrix makes the following predictions:
- Prediction #1 – Your company will no longer own your laptop (go ahead, buy that cool new computer).
- Prediction #2 – Your company will spend more on coffee and office supplies than it does on desktop management.
- Prediction #3 – You will access your corporate desktop from whatever device is most convenient at the time (just like you do with e-mail today).
- Prediction #4 – You will switch back and forth between work and personal desktops on the same device, without thinking twice.
- Prediction #5 – You will never complain about your PC being too slow again.
Citrix and Intel Contribute Heavily to Xen Hypervisor for Clients
I just left a session at the Citrix Synergy 2009 conference titled Bring the Power of Xen to Local Client Virtualization that was delivered by Ian Pratt, founder of Xen open source project. While Project Independence (codename for XenClient) was announced officially in January of 2009, this was the first time I saw it presented at a major event like Citrix Synergy.
Unlike server-based desktop virtualization technologies, like Citrix XenDesktop, XenClient will cache and execute the virtual machines’ operating systems directly on the client for full, off-network mobility for laptop users.
There is a seriously impressive story to tell around security, performance and the manageability benefits that can be brought to client systems when they are virtualized.
“Servers are in a safe, contained environment whereas desktops, realistically, are in constant chaos.” David Greschler Director of Virtualization Strategies at Microsoft
Virtualization and Isolation of Personal and Business Computing
Using a bare-metal hypervisor much like we do with servers, two (or more) virtual machines are created: one for your personal stuff and one for business. The two virtual machines are completely isolated at the hardware level by Intel’s VT feature set:
Intel VT includes hardware enhancements that virtualize memory, the CPU, and directed I/O. These features provide a significant level of hardware enforcement for the VMM’s memory manager, and significantly improve isolation of the virtual environment. In turn, this helps improve security for critical processes and sensitive data. [source: Intel Centrino 2 with vPro Whitepaper]
The corporate virtual machine [shown in red in the image, above], managed and locked down significantly by the IT department, has only business applications and cannot be altered by the end-user. The IT department will be responsible for managing this image, backing up the image and all patching and updates. All changes that are made to the system while offline are synchronized back to the data center. A service level agreement and full support for this image will be provided. Although, likely for a lot less than it currently costs to provide this level of support.
The personal virtual machine [labeled desktop VM in the image, above], managed by the end-user, allows the local installation of personal applications, like iTunes. People are free to play with their computer and do whatever they want They are free to break their personal system in any way whatsoever, however their actions will not effect their corporate virtual machine at all. IT can provide a much lower-level (if one at all) service level agreement for this image. The suggestion is to provide the end-user two options: roll the image back to a previous state using snapshot recovery points or push the button to bring it back to a crisp, new OS state.
Desktop Management has Never been this Good
Citrix and Intel have delivered us a very powerful tool. I think it’s up to us to figure out how to use it. Here are some of the use cases that came out of our discussions:
- A desktop image that can be deployed to end-users whether they are virtualized on servers using XenDesktop, or on desktop PCs or laptops, regardless of make/model.
- Centrally update all systems without worrying about conflicts, because everything is based on your gold image.
- Have those updates apply to the systems the next time they are turned on, because you are synchronizing the differences between your gold image in the data center and the end-point. You won’t have to worry about whether your end-users are leaving their systems on at night or not.
- “Lease” policies such as a system must check in every two weeks, or the operating system cannot be launched.
- Remote kill feature for laptops in case they are stolen with the ability to take the user’s desktop image from the data center and push it to a new device or into a XenDesktop server hosted VM until the device is replaced.
- The ability to remotely and very easily virus scan a virtual machine without it being “on” to better catch and clean the pesky ones.
I’ve heard the term out of band management many times thinking that it was just the ability to turn on/off a system remotely. My exposure to XenClient has redefined what I consider out of band management.
Out of band management is the ability to do things to a system [like virus scanning] without it being on. Performing maintenance the way that we do it today is like a mechanic changing the engine in a plane while it’s mid-flight. -Ian Pratt
Official Release is Expected in July of 2009
I have searched all over the Internet trying to find a download to play with. I can’t find one – even over at the xen.org project website.
5 Responses to “Citrix and Intel bring Virtualization to the Desktop”
Leave a Reply
Sounds cool from a management standpoint.
As a PC anarchist, I’m always a little uncomfortable with the idea of control being taken away from me. After all, the whole idea of the Personal Computer was to break us away from Big Iron and the dumb terminal.
As someone who was on the cutting edge of computers, my company adopted as standards several software programs that I couldn’t have experimented with on a locked-down machine.
That bias aside, here are a couple of quick questions:
1. I may have skimmed past it in my quick read, but does the end user require a connection back to the mother ship in order to work? In other words, if I’m on a plane or a deserted island, am I able or unable to work on my applications?
2. I see that you carefully segregate personal and user personalities (for lack of a better term). Still, wouldn’t it be possible for a user to so hose up his machine that he couldn’t access the God Box at the office? Before you answer that too quickly, every time something is built foolproof, a better fool is born.
I can see, however, where this would be a great tool to administer the masses.
ksteinhoff – Actually, this is exactly what you want as a PC anarchist. This allows you to have a machine that you can do whatever you want with, yet still have IT love you and give you support for your business applications on your other, managed system.
1. You only need a connection back to the “mother ship” to get the thing going the first time. Once you have your image, you work offline like any other system that you have ever used. When you plug back in, all the changes that the IT folks want you to have (application updates, operating system updates, etc.) are pushed to you and all of your changes (documents, icon placements, favorites, etc.) are sent to them.
2. There will always be a way to hose up the machine. If there wasn’t, why would you need me?
a) Likely, it will become much more difficult than it is today, however. Mainly, because the more important business virtual machine will be locked down so tightly that you can’t break it.
b) The other piece of this is the actual virtualization software layer. if that is broken, you’re out of luck. But, Citrix and Intel are working diligently to actually include this layer into firmware on the system board, much like a BIOS is today. This will provide much greater reliability than having it on a disk.
c) Then, there is the hardware itself. If it goes bad, you’re also dead. But, what’s neat about this solution is the fact that we will have a full copy of your system back in the data center. And, because it’s virtualized, it can be put on a new system with zero changes to drivers and other things. If you are remote and we can’t get the big image to you quickly, it can be placed on a virtual machine in the data center and delivered to you via some of Citrix’s other delivery methods, with nearly no performance hit, until you can get back to the office or have a system shipped to you with your image on it.
In my opinion, this is a win-win-win:
a) End-user gets more control of their system, but also has much more stability for their business side.
b) IT doesn’t have to support a bunch of crap any longer. If it isn’t in the business system, we’re not supporting it.
c) Company spends less money on support AND has the ability to actually have their employees Bring Your Own Computer (BYOC).
I received an email with the following statement/question:
—–
So basically they did what apple was trying to do with parallels or bootcamp and then took it a step further with their product suite and security.
You better have a decent laptop with enough ram for both VM’s and the hypervisor though. Minimum 4gb I’d say.
—–
It’s even more than that. They have the ability to directly access the GPU, CPU and NIC from the VM, while having all other things (like USB) move through Dom0. This allows full 3D acceleration and USB device mapping into the VM. And, because it is hypervisor-based you lose the overhead for a base OS and the problems of users screwing it up and not being able to run their business system.
AND…. Even more cool is that they have the ability for a program from the business system to be seamlessly displayed on the personal one to keep a consistent desktop, all while keeping the security intact. They did a demo with a key-logging application in the personal system with a business app displayed in it. The key-logger grabbed everything until the user moved focus over to the business app and, because of the hardware separation that Intel provides, it stopped.
As for the hardware on the PC side. Yes, you’d need some RAM and a new(er) processor. The other thought is that you could also deploy to XenDesktop using this technology and then deliver it to a ThinClient on someone’s desk. Why, you ask?
You could have a small group of powerful laptops for people traveling. People could put in a request prior to traveling and then the IT department moves that user’s image from XenDesktop to the physical laptop. This will allow the end-user to be able to work with no Internet connection (something XenDesktop can’t do). When they return from travel, they check the laptop back in and the IT department does the reverse.
I believe that this may be the #1 greatest IT security and desktop/laptop manageability overhaul all companies will need to have. The sheer concept of being able to use 1 device (or for that matter) any device for your personal and professional needs, while keeping your business subset secure and manageable, is key to every IT Managers dreams. Now if only Apple would let you run their OSX as one of the VMs… you’d have an unstoppable product.
Mark my words. This is going to be game-changing: http://bit.ly/N3evA