Point of View – Virtualized Desktop and Cloud Workspace
This article is intended to offer an overview of the different solutions available for leveraging Virtualised Workspace and comparing each solution in terms of its applicability to the different environments.
This document is primarily intended for leadership audiences such as Head of Digital Workplace, CTO, CIO, technical teams – Enterprise Architect, Solution architect, workspace domain architect, and roles involved in the decision process for exploring virtualizing workspace.
This article and all information provided herein (the “information”) is provided on an “as is” basis and for general information purposes only. I expressly disclaim all warranties of any kind, whether express or implied, including, but not limited to, the implied warranties of merchantability, fitness for a particular purpose, and non-infringement. I make no warranty that the information is error-free, accurate, or reliable. I reserve the right to make changes or updates at any time without notice. Product or company names mentioned in this article are the trademarks of their respective owners.
This article throws light on the Desk -as-a-Service (DaaS) market. This area is growing more than ever in this time owing to the pandemic which has forced people to work from home.
Gartner expects that by 2023, 30% of all the on-premises VDI users will access a workspace in the Cloud using DaaS. With remote working more popular than ever due to the current circumstances (COVID-19), the growth of virtualizing desktop environments and enabling users to work from anywhere anytime will continue to rise. The objective of the document is to capture the overview of the solutions available in the market for the organizations, and enabling them to decide by providing a comparison based on users ‘profile, and key features available across these solutions.
The following yearly research is a global initiative for and by the entire EUC community and answers independently how the market looks like.
The survey shows that Microsoft Windows Virtual Desktop and Citrix Cloud Workspace are two leading solutions that are preferred by most organizations aiming to provide Cloud Workspace experience to their end-users.
Windows Virtual Desktop
Windows Virtual Desktop (WVD) is a PaaS based desktop and app virtualization service that runs on Microsoft Azure Public Cloud, which offers the following:
Set up a multi-session Windows 10 deployment that delivers full Windows 10 capability that is scalable
Virtualize Office 365 ProPlus and optimize it to run in multi-user virtual scenarios
Provide Windows 7 virtual desktops with free Extended Security Updates
Bring existing Remote Desktop Services (RDS), Windows Server desktops, and apps to any computer
Virtualize both desktops and apps
Manage Windows 10, Windows Server, and Windows 7 desktops and apps with a unified management experience
The high-level architecture view for Windows Virtual Desktop is as follows:
As shown in the architecture, the following are key requirements for WVD:
· Azure Subscription
· Azure AD Tenant / Directory Services
· Office 365 E3/E5 licenses
· File storage provided by FS-Logix covered in the Microsoft subscription
Windows Virtual Desktop on Azure:
WVD Key Features
Windows Virtual Desktop gives the only multi-session Windows 10 experience, including compatibility with Microsoft Store and existing Windows line-of-business apps, while delivering cost advantages.
Allows virtualizing both full desktops and remote apps.
It can also be used for persistent Windows 10 – single-user virtual desktops.
WVD supports Windows 7 virtual desktops and is the only way you can safely run Windows 7 after its End of Life on 14 January 2020. Windows 7 desktops on WVD will be the ONLY systems that receive free extended security updates.
Windows Virtual Desktop session host VMs are not exposed to the internet directly. They can run using a private IP address and run isolated from other workloads or even the internet. The reverse connect technology allows the VMs to be accessed
When a user connects to the WVD service, the use of Azure Active Directory (AAD) as the identity provider allows users to leverage additional security controls like multifactor authentication (MFA) or conditional access
It is deeply integrated with the security and management of Microsoft 365, such as Intune Modern Management
All the Nvidia vGPU / and the recently announced AMD EPIC CPU/GPU graphical enhanced N-Series virtual machines on Azure are supported with Windows Virtual Desktop.
Why Users should adopt WVD?
Enhanced User Experience:
WVD is a true Windows 10 Operating System providing a similar look & feel to locally installed Windows 10. Users can pin the most frequented apps, and work on apps as if these are installed locally.
WVD has leveraged FS-Logix supporting persistency in a non-persistence environment. The FS-Logix supports accessing the most frequent data thus hydrating the applications when initiated even when machines are used for multi-user sessions.
Clients using MS Office 365 have a good performance allowing users to access Office 365 applications connecting directly from Azure leveraging MS Cloud connectivity. Users get quick access to Office 365 services.
MS provides a fully managed solution, improving the security of corporate data isolating it from Personal data on the devices.
The WVD licensing is based on per-users and not limited to per device. Organizations need the following to enable WVD:
Windows 10 Subscription for each user
Azure AD Tenant and Azure AD Deployment Services
Azure Infrastructure: The infrastructure will vary based on the options Pooled Vs Personal ones.
Customers with the following license SKUs are entitled to use WVD with no additional charge apart from Azure compute, storage, and network usage billing:
To run Windows 10 multi-session, Windows 10
Microsoft 365 F1, E3, E5, A3, A5, Business
Windows 10 Enterprise E3, E5
Windows 10 Education A3, A5
Windows 10 VDA per user
To run Windows 7
Microsoft 365 E3, E5, A3, A5, F1, Business Windows E3, E5, A3, A5
To run Windows Server 2012 R2, 2016, 2019
Remote Desktop Services (RDS) Client Access License (CAL) with active Software Assurance (SA)
it is estimated the effective cost per user per month is $5.12 based on the below configuration: (Refer to the Appendix for sample cost calculator)
No. Of Users: 1000 Pooled users with 90% Concurrency during business hours and 5% concurrency during off business hours
The Virtual machine - D8a v4 (8 vCPU(s), 32 GB RAM), E10 (128 GiB, 500 IOPS) Disks is used, and a total of 29 instances are planned
The prices are calculated based on 1 year reserved prices with upfront payments.
Clients can further reduce the investment by 33% if clients opt for the reservation for three years. Please refer to section 7 – Appendix for further details on the estimated cost for Microsoft WVD.
Virtualized environments present a unique set of challenges for collaboration apps such as Microsoft Teams. Increased latency, high host CPU usage, and poor overall audio and video performance are some examples.
Microsoft Teams in Windows Virtual Desktop environments can be used to leverage the chat and collaboration features. Windows Virtual Desktop does not support Teams on VDI audio/video (AV) optimizations. Calls and meetings are not supported and with the Citrix platform, calling and meeting functionality are also supported.
Today, Microsoft is following in the strides of Citrix by building its control plane facilitated in Azure. The two organizations comprehend that building and maintaining a VDI foundation on-premises is a great deal of work, as it requires a ton of parts.
Citrix Cloud Workspace
Citrix Workspace Cloud simplifies the management of virtual applications, desktops, mobile devices, and data sharing with its Cloud-based management platform. Organizations can choose where to put organization resources (hypervisors, VDAs, and StoreFront servers, for example) on-premises or in a private or public Cloud.
The Citrix Workspace Platform provides a single platform for delivering a unified administration experience using a Cloud-based management tool. Inside Workspace Platform, customers can subscribe to different Cloud services to configure the desired user workspace experience.
The conceptual architecture is as follows:
There are several Citrix Cloud Services that combine to enable the full workspace user experience. Examples of the services offered in the workspace platform are Virtual Apps & Desktops, Secure Browser, Gateway, Content Collaboration, Endpoint Management, Analytics, and more. These services are updated and managed by Citrix which reduces deployment and system update effort by administrators and allows management staff to focus on other more strategic tasks.
What’s new in Citrix
Clients can make multi-client inventories and delivery groups with that new OS on Azure from the Citrix Cloud control plane. This will in all probability even be accessible from the Citrix Virtual Apps and Desktops facilitated on-premises in a not-so-distant future. The following are the delivery groups from Citrix:
Simple – Citrix Managed Desktop is the fastest and easiest way to deploy WVD Workloads
Flexible – Citrix Virtual App and Desktop Service provides advance management, monitoring, provisioning, and user experience for WVD Workloads
Comprehensive - Citrix Workspace does the comprehensive digital experience for the resources, which includes WVD Workloads
Citrix Cloud is licensed on a subscription-based model. Licensing is per user per year, and customers get the best pricing if they commit for a 3-year term.
Virtual Apps & Desktop Service is the direct match to the on-premise deployment, but like on-premises, there are options for workspace bundles in the Cloud to include other services such as endpoint management, Citrix files, etc.
The standard price for Workplace Premium Plus is $24 per user per month. The following services are an add-on:
Citrix Analytics for Security, Performance
Citrix Managed Desktop
Workspaces are the managed Desktop as a Service environment from Amazon Web Services. Available for Linux and Windows desktop environments which can be deployed using Amazon supplied or custom images and quickly scaled to provide thousands of desktops to workers across the globe. Billed either monthly or hourly, just for the WorkSpaces you launch. With Amazon WorkSpaces, users get a fast, responsive desktop of their choice that they can access anywhere, anytime, from any supported device. Workspaces clients are available for Windows, Linux, macOS, Chromebook, iPad, Fire tablets, and Android tablets as well as through a web browser
The following diagram illustrates the high-level architecture of Amazon Workspace:
Each Workspace is associated with a virtual private cloud (VPC), and a directory to store and manage information for your WorkSpaces and users. Directories are managed through the AWS Directory Service, which offers the following options: Simple AD, AD Connector, or AWS Directory Service for Microsoft Active Directory.
Amazon WorkSpaces uses a directory, either AWS Directory Service or AWS Managed Microsoft AD, to authenticate users. Users access their WorkSpaces by using a client application from a supported device or a web browser, and they log in by using their directory credentials. The login information is sent to an authentication gateway, which forwards the traffic to the directory for WorkSpace. After the user is authenticated, streaming traffic is initiated through the streaming gateway.
Client applications use HTTPS over port 443 for all authentication and session-related information. Client applications use port 4172 for pixel streaming to the WorkSpace and for network health checks.
Each WorkSpace has two elastic network interfaces associated with it: a network interface for management and streaming (eth0) and a primary network interface (eth1). The primary network interface has an IP address provided by your VPC, from the same subnets used by the directory. This ensures that traffic from your WorkSpace can easily reach the directory. Access to resources in the VPC is controlled by the security groups (firewalls) assigned to the primary network interface.
AWS Workspace Key Features
Persistent desktop experience
The flexibility of either monthly or hourly billing.
Deploy and manage applications for your Windows WorkSpaces by using Amazon WorkSpaces Application Manager (Amazon WAM).
For Windows desktops, you can bring your licenses and applications, or purchase them from the AWS Marketplace for Desktop Apps.
Can be integrated with your on-premises directory so that your users can use their existing credentials to obtain seamless access to corporate resources.
Use the same tools to manage WorkSpaces that you use to manage on-premises desktops.
Support for multi-factor authentication (MFA).
Support for encrypting data at rest, disk I/O, and volume snapshots using the AWS Key Management Service (AWS KMS)
Control the IP addresses from which users are allowed to access their WorkSpaces.
Audio-In – Make and receive calls from WorkSpaces using communication tools such as Skype, Teams, and WebEx.
Workspaces clients are available for the following operating systems:
Microsoft Windows 7, Windows 8, and Windows 10
Apple macOS (10.8.1 and above)
Linux (Ubuntu Linux 18.04 and above)
Google Chrome OS (45 and above)
Apple iOS (8.0 and above)
Google Android (4.4 and above)
Amazon Fire OS 4 and Fire OS 5
Supported Workspaces Operating Systems
Amazon WorkSpaces offers Amazon Linux WorkSpaces built on Amazon Linux 2 LTS or Windows 10 desktop experiences. The Windows 10 desktop experience is powered by Windows Server 2016. If your organization is eligible to bring its own Windows Desktop licenses, you can run the Windows 10 Enterprise operating system on your Amazon WorkSpaces. (Refer to the section on BYOL)
AWS provides the Amazon WorkSpaces Cost Optimizer to enable automatic conversion of WorkSpaces to the most cost-effective billing option (hourly or monthly) depending on a user's individual usage.
The running mode of a WorkSpace determines its immediate availability and how you pay for it, providing additional cost optimizations. You can choose between the following running modes when you create the WorkSpace:
AlwaysOn — Use when paying a fixed monthly fee for unlimited usage of your WorkSpaces. This mode is best for users who use their WorkSpace full time as their primary desktop.
AutoStop — Use when paying for your WorkSpaces by the hour. With this mode, your WorkSpaces stop after a specified period of inactivity, and the state of apps and data is saved. To set the automatic stop time, use AutoStop Time (hours).
When possible, the state of the desktop is saved to the root volume of the WorkSpace. The WorkSpace resumes when a user logs in, and all open documents and running programs return to their saved state.
Amazon WorkSpaces offers a range of bundles that provide different hardware and software options to meet your needs. You can choose from Value, Standard, Performance, Power, PowerPro, Graphics, or GraphicsPro bundles that offer different CPU, GPU, memory, and storage resources (SSD volumes) options, based on the requirements of your users. You can select the amount of storage that you need for both root and user volumes when you launch new WorkSpaces, and you can increase storage allocations at any time. With hardware bundle switching, you can switch between the Value, Standard, Performance, Power, or PowerPro hardware bundles as needed.
AWS pricing varies per region and resource bundle. There are seven bundles to select from based on the use case or user story, operating system requirement, and region.
Bring Your License (BYOL)
Workspaces support brings your license that will run on dedicated hardware within the AWS region to comply with Microsoft licensing requirements. The base deployment requirement is 200 non-GPU enabled or 4 GPU enabled workspace instances in a region per month to enable BYOL.
Based on Server 2016 Desktop Experiences for Windows, unless bringing own license (See Note on BYOL)
Each WorkSpace is assigned to a single user and cannot be shared by multiple users.
By default, only one WorkSpace per user per directory is allowed
Microsoft RDP client is not supported for connection
VMware Workspace ONE
VMware Workspace ONE solution is developed using VMware solutions – VMware Horizon, Workspace productivity apps, and Unified endpoint management tool – Airwatch. The workspace ONE solution can integrate existing identity management tools, applications, and endpoint management tools while delivering the virtual desktops and applications.
Workspace ONE UEM delivers the enterprise mobility management portion of the solution. Workspace ONE UEM allows device enrollment and uses profiles to enforce configuration settings and management of users’ devices. It also enables a mobile application catalog to publish public and internally developed applications to end-users.
Workspace ONE Access provides the solution’s identity-related components. These components include authentication using username and password, two-factor authentication, certificate, Kerberos, mobile SSO, and inbound SAML from third-party Workspace ONE Access systems. Workspace ONE Access also provides SSO to entitled web apps and Windows apps and desktops delivered through either VMware Horizon or Citrix.
VMWare Workspace ONE Key Features
Workspace ONE features provide the following features maintain the security and provide an enhanced experience to end-users:
App Provisioning: VMware provides automated distribution of applications based on the users' profile. Organizations can deliver apps to users in real-time enhancing their productivity.
Seamless Access: Users can get seamless access to assigned applications after authentication. Applications can be configured for Single Sign ON thus allowing users to enter credentials only once and using all assigned applications.
Anytime Anywhere AnyDevice access: Users have an option to work on their private devices which can be managed by securing corporate contents and allowing users to maintain privacy. Based on users’ profiles, the devices can be enrolled and assigned applications can be made available through any device.
Corporate Security and Compliances: Workspace ONE allows the organization to deploy condition access policies that validate the device compliances, and allows only compliant devices to access organization resources. These compliances can be validated on a periodical basis. Further organizations can also trigger actions based on compliance level.
Corporate App Store: Organizations can build the ‘Corporate App Store’ allowing users to access pre-approved apps. Users can install/uninstall applications based on their needs which reduces the time for approval workflow and unnecessary administrator activities.
Content Protection: Workspace ONE prevents data leakage by controlling the methods of opening, sharing any attachments while using the productivity apps- mail, etc. This feature forces documents or URLs to open only in approved applications to prevent the accidental or purposeful distribution of sensitive information.
Optional Secured browsing: Users can use the VMware Workspace One Web instead of third-party browsers which make browsing more secure.
Data loss prevention (DLP)
VMware Workspace One is recommended for Mobile workers who are either task-based workers having access to limited applications performing regular tasks, and devices are provided & managed by corporate. Or the knowledge workers who have access to SaaS-based applications and use their devices which can be partially managed by corporate for securing the contents.
In addition to mobile workers, if organizations have Conractors’profile who need limited access in terms of time and applications, the VMware workspace One solution is a good fit. Contractors’ access can be revoked and restricted to the line of business applications and only for a limited period.
Workspace ONE comes in four different editions to make it simple for organizations to license the right amount of technology based on user and endpoint requirements.
Standard: Secure Access and Device Management
Advanced: Unified Endpoint Management and Secure Mobile Apps
Enterprise: Intelligence-driven Secure Digital Workspace with Horizon Apps Universal
Enterprise for VDI: Intelligence-driven Secure Digital Workspace with Horizon Cloud
The monthly subscription-based standard listed prices are as follows;
Perpetual licenses are also available, however, subscription-based licenses are most commonly adopted by the organization to get the flexibility and establish pay per use model.
All the on-prem VDI and Cloud VDI bring value to the industry, domain, and user-specific profile specific. There are mysteries underneath on performance, security, experience, and management which are still meant to be solved.
Microsoft is a contender with WVD as it is the only one to provide multiuser access on Windows 10 in Azure Cloud. Citrix was been the leader in Visualizing virtualization from their days of WinImage, Metaframe technologies, and HDX today. VMware profound on server virtualization has made through the VDI platform with their innovations. AWS didn’t miss the train and brought cloud VDI to meet the demand of cloud workplace.
Microsoft and AWS meet the Cloud Workplace demand for the virtual desktop. An enterprise needs to blend various technologies to meet their demands specific to domain, compliance and capitalize on the existing investment made with Citrix or VMware to integrate a VDI solution. This is where cloud leaders and VDI Product leaders come together to meet today's and future business demands.
In summary, the following diagram captures the positioning of different solutions.
To conclude the Point of view, the adoption of each solution largely depends upon the client environment and the position of the client in the journey of virtualized workspace.
Microsoft and Citrix are partners, and customers can take advantage of the WVD as a standalone solution if it meets their requirements. If they need more advanced features and functions such as SaaS apps, hybrid workloads, or seamless access to user data and access to resources, then they can look for other solutions than Citrix Workspace.
AWS enables the provision of virtual, Cloud-based Microsoft Windows or Amazon Linux desktops for users, known as Amazon WorkSpaces. Amazon Workspaces eliminates the requirement to purchase and deploy hardware or install complex software. We can add or remove users as and when there is a change in requirement. This brings the value of VDI to AWS Cloud, the pros with AWS are Cloud standards and performance. The cons are the limitation on end-user productivity concerning WVD on Azure and Amazon workspace. It is a head-to-head competition on VDI on Cloud. Citrix workspace and VMware workplace both complement Amazon workspace to use it as hybrid VDI integration. Amazon Workspaces provide the VDI on Cloud minimalistic features and functions. There are limitations on Intelligent Experience, Integration with Microsoft Office, Unified Management and Security Model while using Amazon Workspaces.
To conclude, Desktop as a Service is indeed a growing market with many industry-leading players. It entirely depends on an enterprise’s requirements of compliance, security, infrastructure, user base, etc. to select the best option that works for them.
Following resources are referred to during the preparation of the article.