How To Improve Your End-User Device Strategy 2How To Improve Your End-User Device Strategy 2

Who says we're not getting more tolerant? A few years ago, information Analytics managing director Art Wittmann suggested in a column that we give stipends to end users and let them purchase whatever computing devices they desire. The kindest commenter speculated that he'd been dropped on his head as a child. Then, in our July 2008 Radical Desktop Survey, we asked about the likelihood our 376 respondents would adopt such a policy. Just 18% allowed that there was any chance; 43% said probably not, and 37% said heck no.

Given advances in desktop virtualization, app streaming, smartphones, and 3G and Wi-Fi connectivity, we revisited that topic and others with 558 business technology professionals who responded to our October information Analytics survey on end-user devices. We found that some IT groups have expanded their thinking. When asked about the possibility of offering employees stipends to purchase their devices of choice, 44% expressed openness; 17% said it was likely for some or all users.

Yet on the poll's main premise--whether it makes sense to get away from the short-life-cycle upgrade treadmill of powerful, fat desktop PCs--the attitude was, essentially: Well, it might, but most of us are pretty busy right now and don't have the time or inclination to think about anything but fat clients with some enhancements.

"A few executives have smartphones and laptops, but all other employees are using desktops only," says one respondent. "Current mobile end-user devices pose a significant risk to the security of our data and network, and to bring end-user devices up to the point where we can implement them on a widespread basis would require extensive capital investment and reengineering of our network."

Really? We're playing the reengineering card?

So perhaps the increasing openness we're seeing toward end-user devices is less about enlightenment and more about economic necessity. After all, there's nothing like penury to make people willing to try something new. When we look at the context in which IT continues to deploy those fat and expensive desktops, reasons for our new openness come into focus: Budgets have been slashed. Inexpensive netbooks are wildly popular with consumers (your end users). Desktop apps are becoming less dominant, and the devices themselves continue to be labor-intensive to manage. Like nonvirtualized servers of old, fat PCs equal lots of idle resources. We're serving an increasingly mobile and tech-savvy workforce, and many of us have invested in sophisticated data-focused security technologies, like network access control and data loss prevention, that provide defense in depth.

We also need to get serious about cutting spending here, and more than half of respondents do indeed say that they treat end-user device replacement as overhead. One-third are, frankly, doing pretty well in terms of how much they've allocated for desktop upgrades--we consider 10% or less of the total operational budget reasonable. But that means that two-thirds are spending too much. If an IT shop is dedicating over 11% of its budget on PC refreshes, as is the case for 67% of respondents, that's cause for concern. For the 19% spending upward of 21%, we have to ask: Are you the IT department, or the PC department? Continuing to throw buckets of money at something so mundane defies current wisdom that IT dollars should be targeted toward innovation, not maintenance and operations. Some CIOs have already learned that lesson.

Back To School

Niagara Wheatfield Central School District, in New York, plans to implement a virtualized environment to the desktop, says Mary Ann Buch, director of technology and training for the school district. It's an ambitious plan: Buch's district and other agencies in the area have done a limited rollout of virtual desktop infrastructure technology along with inexpensive and highly mobile netbooks, to see if they can use this combo to achieve something that they couldn't with traditional fat clients--a 1-to-1 ratio of laptops to students.

Though neither thin-client nor VDI technology is in wide use among our respondents, desktop virtualization does address some longstanding objections to thin clients, notably that the protections needed in a shared server environment sometimes get in the way of the flexibility that fat clients boast. VDI, since it virtualizes individual desktops, allows for massive flexibility--users can customize all they want. Buch and her associates put together a study that asserts several key business drivers, as well. First, they tested netbooks, and found which ones students would be most likely to adopt. (Those with the best-perceived keyboard and screen-size combo.) They then made a business case for lower power consumption through netbooks rather than desktops. And, since the virtual desktop image resides in the data center, they cited easier management: Students can't subvert lockdown through physical hacks.

In fact, concerns about Trojans or infected end-user devices attacking vulnerable internal networks was the top barrier cited to allowing use of end-user-owned gear (72%). Respondents also worried about how to keep sensitive data from walking out the door and enforce patch levels.

This isn't a new worry; IT shops have always feared the possibility of foreign PCs connecting to the soft underbellies of their networks. But let's face it: These days, partial lockdown--the majority choice of respondents--is a half-baked security philosophy. With a few Google searches and local access to hard drives, a sophisticated user can break most of your barriers in under an hour anyway.

And tell us again how you justified that NAC project?

The bottom line is that a partnership with users is needed because you aren't there to watch them, and frankly, IT doesn't have time to baby-sit. Never confuse management issues with an accounting or a security mechanism. Both of the latter are easily defeated. You can't be a fan of both the fat PC with full physical access and of total lockdown. Perhaps we should focus instead on building relationships and partnering with business units to handle the raging lack of policy compliance (the management issue) rather than putting more padlocks in place.

We Need Partners Here

Consumer tech moves far faster than enterprise tech. And frankly, enterprise users want the benefits of consumer tech. So what's IT's role in this brave new world?

We need to be gap closers. The consumerization of enterprise IT will either be done through you or around you, and the end-user device is a key battleground. General Motors CIO Terry Kline told information in a recent interview that letting employees use consumer technology--such as employees' personal iPhones, or their home PCs--to securely do company work is among his key priorities. GM's testing a USB drive that contains a virtual desktop environment, including VPN and security settings, that employees could use for home PC access to the GM network.

As another sign of the times, during our research, The Wall Street Journal published a piece beating up on IT for not allowing consumer technologies to be used to solve business problems. The article went on to diss everything from lack of storage on e-mail systems (ouch) to slow search to PC lockdown, and then suggested that forward-thinking companies are already allowing users to pick their own devices.

Believe us, your boss and your boss' boss are reading this and similar articles. It's going to become a tidal wave, and probably pretty soon.

Whether you're talking about virtual desktops or virtual application delivery, our respondents' reservations should make virtualization vendors sit up and take notice. First, half have concerns about the widespread adoption of any technology that requires users to remain online. Is that a valid worry, given the fact that GSM and CDMA modems are being built into laptops and netbooks? Valid or not--and given the still-high cost of data plans, we see the logic--the fact remains that vendors either need to make a business case for "always online" or follow MokaFive's or VMware's lead on offering offline VDI for users, although offline use does require a much more capable end-user device than online-only, since the processing starts happening on local hardware.

In our discussions with a number of IT managers, simplification was another ongoing theme. The fat PC can be managed in a cost-effective way if--and only if--it's standardized and treated as a relatively dumb device. This raises the question: Why not just use a relatively dumb device?

Ray Rathburn, an IT specialist at the U.S. Social Security Administration, told us that all of his agency's new applications are targeted to be browser-based. "Clients with existing programs create real testing problems if you want to keep down your IT support costs," says Rathburn. "Every program that you add increases the permutations."

He's absolutely right. We've long known that a lack of controlled, predictable desktops creates one of two undesirable outcomes: an environment where testing is expensive, or one where adequate testing simply doesn't occur, which then leads to even greater support costs plus a loss of productivity when untested permutations create unexpected downtime. If IT can deploy to an environment without those permutations, such as a browser, says Rathburn, this sidesteps the complexity issue. To that end, his agency, like many, treats PCs as static images. When you have trouble with a device, blow it away and reimage.

Which brings us back to our main point: New, inexpensive technology may appear to be unsuitable at first, but in the long run, less may be more. Thin clients with dumb terminals didn't work for most of us. Perhaps smartphones, or Chrome OS netbooks, or notebooks plus VDI, are the middle ground between the security of a big fat client and the agility of a thin and cheap one. But you'll never know if you don't keep an open mind.

If you're considering netbooks, be mindful of their limitations, which we discuss in depth in our "Netbooks Vs. Notebooks" article (see p. 28). For example, most of these devices can't connect to corporate Active Directory domains, because they're typically running XP Home or Windows 7 Starter, at least until Google Chrome OS arrives or a Linux variant catches on. Expect your more rigid IT staffers to freak out at that. But honestly, only Microsoft truly has an interest in workstations logging into Active Directory. The rest of us just want to know that there are LDAP hooks where they're needed.

For users who do e-mail and some data entry, outfitting a netbook or smartphone with an enterprise app image might make sense. In some cases, your organization is paying for a mobile data plan anyway. In our information Analytics Application Mobilization Survey of 695 business technology professionals, 42% of those surveyed say they had plans to deploy mobile enterprise applications on smartphones.

There are exciting new ways to deliver the computing power our employees need without clinging to the feature-laden, company-issued desktop with its three-to-four-year replacement cycle. It's far from certain whether the paradigm that displaces desktops will include netbooks, VDI, applications on smartphones, application streaming, or some combination. But smart CIOs will start exploring their options now so they'll have a chance of ending up with the least expensive and most secure and elegant approach to delivering computing power. At the very least, think carefully before making spending decisions that maintain the status quo.

Jonathan Feldman is is an IT executive and analyst working in North Carolina. He has 20 years of security and network infrastructure experience in government, military, healthcare, financial services, and law enforcement.