Lately a lot of companies I visited or talked to are telling me they want to move away from local applications and even their entire SBC/ VDI deployment in favor of going completely SaaS + BYOB (Bring Your Own Device). Is this possible ? What about classic applications ? What about credentials and Single Sign On ? What about your own data ? In this blog we will explore the answers to those questions by looking at some great products and getting ready for the digital transformation.
- What is SaaS?
- What about credentials ?
- What about classic applications ?
- What about your files?
What is SaaS?
SaaS means Software as a Service, this means that a software vendor delivers their product (Application) from their own (cloud-based) infrastructure. The vendor is also responsible for updating and managing the software and infrastructure. Usually SaaS has a monthly fee/subscription and is delivered through a web browser. Because almost every “smart” device these days has a web browser build in you could work with the application anywhere you want on any device. A great example of a SaaS application is TopDesk , this is a ITSM solution which already runs in a web browser in a on-prem environment. If you want to migrate to TopDesk SaaS all you need to do is export the data from the on-prem environment and import it to a TopDesk SaaS tenant, then publish the new link to the users or forward your on-prem link to the new TopDesk and you’re done.
Now lets take a step back and think about why you would want to use SaaS:
Since the 2010’s almost all IT environments are virtualized. This has a lot of benefits but also some downsides. Because there is no longer a need to buy new hardware every time you need a new server we have seen a wild growth of virtual servers. Every system administrator has probably heard this sentence; ‘we are buying a new application and it only needs 1 or 2 new VM’s, that’s no problem right?’ So now we are left with a lot of VM’s that need to be managed. Next to that there has also been a wild growth of new applications and applications are getting more and more complexer with more functionality. A lot of companies now have more Functional and Technical Application Manager than System Administrators on the payroll. So one way companies can reduce the cost of running all those applications themselves is going with SaaS applications. And some companies want to take this even further. In theory, if all your applications are SaaS and everyone can reach them from any device and location there is no need for a centralised desktop solution like SBC/ VDI anymore. So is this the future, everything Saas ?
What about credentials ?
When using a SaaS application you will most likely be prompted for credentials. Just like you would if you sign in to your Hotmail, Amazon or Netflix account. Remembering all these different credentials for different SaaS vendors can be difficult for a user and can lead to shadow IT. Most SaaS vendors support other authenticators like ADFS to authenticate the user. But in order for ADFS Single Sign On (SSO) to work, the user must be signed in with their companies credentials (Active Directory) on their device or else they will be prompted to enter those credentials again. This does mean that the user only needs to remember one set of credentials but must retype them everytime they open a new SaaS application. So if a company wants more and more SaaS applications what do you do with the crendentials ? And how do you make sure a terminated employee can’t sign in to SaaS applications anymore ?
What about classic applications ?
Classic applications sounds like old applications. But in fact they can be brand new, great applications. So what do we mean by classic applications in relation to SaaS? We mean that they are applications which require to be installed locally or need special hardware/licencing, or just that the vendor is not creating a SaaS equivalent of the application or the SaaS equivalent is missing vital features. A example of this is Microsoft Office. There is a SaaS equivalent but it lacks features. So if your company wants to move to a completely SaaS environment, what do you do with these applications?
What about your files?
Everyone works with files on their computers, from a Word document to a Design drawing from Autocad. One of the big drawbacks of SaaS is that you are working in a web browser and are missing the file explorer. All your data must be uploaded and downloaded to the SaaS application. Or you could work with cloud storage like one-drive or box. But what about BYOD and files? If somebody downloads a file on an unmanaged device how do you make sure that file is deleted when someone leaves the company?
For most of these problems mentioned above are solutions. In this part of the blog we’re going to look at some of those solutions.
Citrix has always been really big in the centralized desktop SBC/ VDI environment with XenDekstop and XenApp. So how can they integrate in the SaaS world? Well, quite good actually. Citrix has created a new product called Citrix Workspace. It’s like Storefront but on steroids. It allows you to add local resources like XenApp publish classic applications and SaaS resources like Office 365 or salesforce in one portal. The user signs in once with their credentials. This can be ADFS, Azure AD, Netscaler with MFA and many more. After that the user is presented with one uniform portal from which it can access classic applications run on XenApp or get access to Salesforce and not being prompted for credentials again.
Citrix Workspace does this by creating trusts with partner SaaS clouds so it can pass on your credentials safely. Citrix Workspace also allows users to access their data through Citrix Share File even from within partner SaaS applications. This means there is no need to download or upload data to and from unsecured devices.
Citrix is also busy with enabling IoT services for Citrix Workspaces, like sign out of the computer when your smartphone (and you) leave the computer. And get notifications about the business in your workspace portal. A downside of Citrix Workspace is that you still have to manage your Citrix infrastructure for classic applications. Of course you can get your base Citrix infrastructure from Citrix Cloud with Azure or AWS through XenApp Essentials but you are still responsible for creating, updating and managing the base image and VDA’s and managing and updating the classic applications. Read more about Citrix Workspace.
Turbo.net is a solution that is aiming at working in the cloud. It uses application containers for your classic applications. These containers can then be launched on cloud VM’s or your local machine. Making containers from your applications makes some wonderful things possible, like running IE6,7,8,9 etc. on the same Windows 10 Desktop. Something App-V can only dream of.
But you can just as easily take those containers and run them from the cloud. And then you can access them from a web browser on any smart device, just like you would a SaaS application. Like running an Internet Explorer container in Safari on MacOS.
Turbo.net does even more for you than just give you the tools to create application containers. They deliver AaaS (Application as a Services). They can create, update and manage your application containers for you and run them on their Azure tenant close to you. Turbo.net does this all for one monthly fee per user. The goal of Turbo.net is to become the Spotify of applications. They even have a free tier which you can use right away to run public containers (like Firefox, SQL Express, FL Studio and many more) on your machine.
The containers need no installation. But running an application in containers will decrease the performance of the application slightly. There are also even more remarkable things you can do with application containers. You can block access to your internal network or for instance only allow access to one website. Turbo.net containerized applications can be created and configured on command line & through web and GUI interfaces.
In the example above you can see that I created two containers with command line. One with Firefox 35 container with Java 8.144 and one with Firefox 35 with Java 7.51. These containers run side by side on the same machine. When using cloud containers, you can attach your cloud storage provider, like Box or up, and download your data. With Turbo.net you can also create a secure browser container to reach your SaaS applications. More information about Turbo.net can be found here.
Frame’s tagline is to run any software in a browser. Frame is build for the public multi-clouds and leverages Azure and AWS. With regards to onboarding your own applications, Frame provides easy access to a master image (called SandBox). You can install your classic Windows application in the master image when you are finished with the manual or automatic installation of the applications you can publish the master image with all the applications to the users in a production environment.
When applications are installed or updated users can sign in to the Frame portal with any web browser and are presented with the applications or windows desktop. By clicking on the application it will automatically start a Virtual Machine and run the application or applications on this machine. Starting, stopping, cost-control and scaling up,- and down is done by the Frame platform automatically.
The applications are delivered to the user with Frame’s own remoting protocol. Besides the Frame web interface (they call it launchpad) they also provide an embedded player and APIs to integrate with other platforms. For instance, running e.g. Microsoft Project 2013 inside Microsoft Office 365 Application Launcher using Microsoft Edge on Windows 10.
With Frame, you can use both your own Azure/AWS subscription or use Frame’s subscription whatever fits best for you. You can use CPU, elastic graphics, single GPU or even 4 GPU powered instances which gives great flexibility and options to run any application in a browser. For instance, if your company has most of its applications migrated to SaaS except CAD applications, which requires high-end Workstation hardware with a beefy AMD or NVIDIA GPU, you could just install your application on the Frame platform. Use the GPU enabled instance on AWS/Azure and deliver these classic applications as a service to your users. If one GPU is not enough you can instantly switch to a better instance type with 4 GPU’s. This is just an example and there are many more.
Another great and important functionality for almost any organization is the ability to use different credentials solutions such as Google, Microsoft Azure AD, Ping, Okta, VMware Identity Manager. Also usage and integration with different storage and cloud storage solution like Google, Box, DropBox etc. are possible.
Microsoft is one of the key investors in Frame, it’s interesting to see Microsoft Office365 and Frame connection delivering windows application directly into the Application Launcher using their API. Frame is a complete platform – Platform as a Service, – they provide all the functionality to deliver applications and desktops as a service. Keep in mind, you are still responsible for installing, updating and managing your own applications. More information on Frame can be found here.
In conclusion, are we ready to completely let go of the centralized desktop? Well, I think in some specific cases you could do it. And solutions like mentioned above can certainly help with that and there are even more solutions out there right now. Maybe even combining solutions will be the answer. But it’s important to set a clear goal for your company. Working in the cloud can not be the goal of your company. The cloud is just a resource. A clear goal could be: Save money on managing applications and infrastructure while making it possible for the users to work where ever, whenever and on any device they want. And especially that last one, ‘any device’, also means security risks. It’s important to make sure that your data never leaves the cloud and users can work with their documents in the cloud. The solutions above can help with that but also cloud storage providers can help with assigning data protection policies. So make sure to check that and have it completely setup before uploading all your data.
- First off make sure your business is ready. If you are still busy everyday with problem solving and extinguishing IT fires you won’t have time to innovate and start getting ready for new things. So make sure your system today is solid. A good UEM, Automation and self service portal will help a lot with this!
- As I said in the conclusion, think about your data protection on unmanaged devices.
- For European companies, make sure your SaaS applications have an auditing and reporting log of who signed in and reached which data when. This will help with being GDPR compliant.
- Talking about GDPR, how are you going to make sure that an employee who left has no more access to the SaaS resources. Think about identity management.
- My final thought is just ‘WOW!’ we live in exciting IT times and I can’t wait to see what else will happen with cloud power in the coming years.
I hope this was informative. For questions or comments you can always give a reaction in the comment section or contact me: