Implementing the Bring Your Own PC (BYOPC) Concept – with Citrix XenApp, XenDesktop, and/or XenClient
So you want to implement the BYOPC concept for your company?
Although it sounds nice to be able to accept any laptop device in the company network, you do want the hardware chosen by your employee’s to meet some criteria:
- 3 year guaranty and next day on site support
- quality brands
- Professional looking devices for engineers, sales people and other functions that require working on the customer’s location.
- Insurance against theft, damage, fire etc.
The company’s implementing the Bring Your Own PC (BYOPC) concept also has to think about:
- What if the laptop breaks down and the user cannot wait until the next day for the repair technician to fix or replace the laptop?
- What if the laptop has been stolen?
- What if the employee will be leaving the company?
- What do you offer users that do not want a BYOPC laptop?
- How do you implement the company antivirus and anti spyware software on the un-managed device?
The company can create a BYOPC web shop containing allowed models that meet the criteria listed above to make sure the criteria are met. By buying multiple laptops from one or more vendors the company might be able to get special discounts.
Based on Citrix technology there are two ways to delivering corporate applications and/or desktops to users using un-managed private/personal laptop devices:
1. Connect from the un-managed Mac/Windows OS to the Citrix Access Gateway. Logon to the web interface with an RSA token and start the applications provided by XenApp or start desktops provided by XenApp or XenDesktop.
2. Stream the managed OS beside the un-managed OS on the same laptop using the XenClient client-side hypervisor (not yet available). See example (1)
Example 1: overview of the Citrix XenClient client-side hypervisor:
With the first scenario (1) different types of Operating Systems can connect to the corporate network and use Windows based business applications available through Citrix XenApp or Citrix XenDesktop.
Citrix has client software for multiple operating systems such as Windows Vista, Windows 7 and Mac OS.
The Bring your own PC (BYOPC) devices can connect to a separate wireless network that allows access to the internet and the Citrix Access Gateway.
For access through the Access Gateway you can require the use of RSA tokens for maximum security.
After loging in the employee will be redirected to the Citrix Web Interface that will contain all applications and/or desktops that the employee is allowed to use. Through the available published applications or desktops the employees can communicate with back-end services such as email, file servers, print servers, application servers etc.
Example 2 graphical overview of un-managed BYOPC devices with the Citrix Access Gateway for secure access:
With the second scenario (2) Windows Operating Systems (XP or newer) the BYOPC laptop will have the Citrix XenClient client-side hypervisor. XenClient will provide the personal/private Windows installation that is un-managed and can be configured by the owner for personal and home use.
Beside the un-managed personal installation the company can stream the managed Windows installation to the laptop on top of the hypervisor. This will enable the owner to switch between the personal and the company installation with a key combination. It will even be possible to display the applications running on the company installation in the personal installation in a seamless window.
At this point it is not yet clear if the vendors will ship laptops that have the XenClient hypervisor pre-installed together with the personal Windows installation, but I guess they probably will.
The Bring your own PC (BYOPC) laptops can connect to a separate wireless network that allows access to the Internet and the Citrix Access Gateway. For access through the Access Gateway you can require the use of RSA tokens for maximum security.
To make sure that the personal installation cannot access the Citrix Access Gateway the company can configure access policies on the Access Gateway. Implementing an internal Certificate Authority with Active Directory auto-enrolled certificates would be a good solution to make sure the Access Gateway can determine if the connecting Windows installation is company managed.
After loging in the employee will be redirected to the Citrix web Interface that will contain all applications and/or desktops that the employee is allowed to use. Through the available published applications or desktops the employees can communicate with back-end services such as email, file servers, print servers, application servers etc.
Example 3 graphical overview of the XenClient BYOPC devices with the Citrix Access Gateway for secure access:
All scenarios can be combined with an external Citrix Access Gateway for connecting from home or any other location that has an available internet connection.
If the company can provide for solid solutions that can address the problems I listed at the beginning at the document (such as on site spares and full managed device for anyone that does not want a BYOPC laptop) then this concept offer many advantages:
- Happy users that can work with the client device of their choice.
- Lower TCO and support costs for client devices
– Applications can be implemented and upgraded faster running on XenApp servers or XenDeskop VDIs with single server images and Citrix Provisioning server or application virtualization with Citrix streaming or Microsoft App-V
– Upgrading the company OS can be done faster by deploying a new image to all XenClient BYOPC devices. (this requires LAN connectivity, streaming the OS over the WAN would take to long)