Published: 09 May 2013
One of the longtime goals of desktop admins has been to get control of users’ desktops. One way to do so is to take away users Windows desktop admin rights, and buy employees iPads.
Getting control of users' Windows desktops means the company’s desktop environment will be cheaper, easier to manage and more secure. This is not lost on desktop virtualization vendors, and virtual desktop infrastructure (VDI) products enabling such control have been part of the marketing push since Day 1.
But getting control of a Windows desktop means that the user has to relinquish admin rights. After all, if users have Windows desktop admin rights, they can simply undo any of the restrictions a company puts in place, which pretty much defeats the whole point of gaining control in the first place.
In the old days (like, 10 years ago) this wasn’t a problem. Companies provided all of the IT capabilities that users needed. But now that we have this whole consumerization thing, users want access to software and services that the IT departments don’t know about.
While many CIOs are on board with that concept in principle, in practical terms it’s not so simple. Really, how is a company supposed to balance these competing needs? If the companies let users do whatever they want, they can use admin rights to remove compliance software, get around security restrictions and install crapware applications that steal sensitive data.
On the other hand, if companies completely restrict and lock down users’ desktops, then we’re back where we started in the pre-consumerization world where users couldn't get their jobs done.
The $500 solution
But there’s an easy (if unconventional) way to withhold users' Windows desktop admin rights and still allow them to get work done: Give users a centrally-managed, locked-down Windows desktop, plus a tablet or iPad to do all the personal/non-IT-supported things.
This approach is truly a win-win. The IT department is happy because it can provide a simple, non-persistent, locked-down Windows desktop environment. If users aren’t admins, they can’t screw up their devices or data. And because users can’t install their own apps without admin rights, IT can simply refresh if users do screw up. It’s a desktop admin’s dream.
And it’s a user’s dream too. Sure, they can’t install new applications into their Windows desktop environment, but they now work at a cool company that gave them an iPad, and they can install whatever apps they want on it.
The whole concept of trading users’ admins rights for iPads is not exclusive to VDI environments, though most of the iPad apps users want are those that cause a lot of trouble for VDI anyway, such as Web browsing with multimedia, Skype, YouTube, Facebook and games. So if you can “buy” your users admin rights for $500, that’s a pretty good deal for everyone.
Let us know what you think. Write to us at firstname.lastname@example.org.