Kaviza and App-V - Reducing the Number of Golden Images

At FSW, thanks in part to Executive management's recognition of IT as a core resource and in part to Microsoft for an amazing grant of software, we now have the infrastructure to support our full VDI environment, including application virtualization. We chose Citrix's VDI-In-A-Box back when it was still called Kaviza VDI-In-A-Box for desktop virtualization over others because of the shared-nothing grid architecture present in Kaviza, since shared storage is a big buy for us, and expanding our SAN farm for a third time in five years is just not in the budget. Frankly, storage would have tipped the CapEx costs so far over the edge that I wouldn't have been able to justify, let alone launch, this project.

That's not to say it's perfect - it's great, but even this product falls victim to the one problem present in all VDI products, especially for a smaller shop like ours - image management. It's much easier than managing desktop images in a Ghost or RIS environment, but it's still a challenge. Ideally, this should be fire-and-forget. To get as close to that as possible, I chose to supplement NTFS-locked apps by leveraging App-V with my VDI deployment.


Thanks to a somewhat homogenized system build and the use of App-V, we've cut down to four major images:

• General Use
• IT
• Finance
• Classroom

We looked at all of the other desktops in the company, and decided that it would make more sense to virtualize the applications than it would to build two dozen or so images to support our small user base. With normal imaging, we would have had a nightmare of images and all the driver management dedicated to those images multiplied out by application portfolio to sub-groups in each of numerous small departments. Those small departments sometimes comprise only two or three people, but they have unique applications that are essential, and in some cases mandated. Even more granular are very sensitive apps like those used for reporting on our Ryan White HIV funding, which are locked to two people in the entire company. One approach, the one we use on physical machines (and still do for VDI machines whose apps used by enough departments to go on our golden image), is to lock the applications down with NTFS, restricting rights to only select AD groups. This is good - it lets us cut image numbers down and achieve that semi-homogeneity I was mentioning earlier. It's also complex to manage and document when you have so many tiny install bases for the one-off apps.

A better way is to use App-V to package the applications each department or group uses, and then push them out to the users based on group memberships. It's a little like managing the NTFS permissions, but much more intuitive and visual. This is done on the App-V servers, without ever touching the VDI golden image. IT, Finance, and our classrooms were the only exceptions to that rule, largely in part due to the sheer number of additional applications required, but they still get App-V delivered applications outside of their specific apps.

Where this has also helped is in managing our application portfolio. We have far more applications in use than most companies of our size, because we have so many different services that we offer and so many government agencies to report to. Each agency seems to have it's own process for picking out the worst possible application for it's particular needs and then forcing agencies like FSW to use them. We also have applications that our non-government funders require us to use, some of which are a bit old (and always unique). Even more horrifying applications than those are also out there - we have versions of some applications that go back to the Windows 95 days. Thankfully they're 32-bit... mostly. A terrifying few of them are 16-bit, particularly in the classrooms.

Being able to sequence those apps on a Windows 2000 machine has helped a lot. Many of these apps, when not required by a funder or government agency, are in place because they do the job and nobody wants to spend the money to upgrade them, such as Rosetta Stone for our ESL programs. Rosetta Stone licenses are quite expensive for the departmental budget of a small social services agency. App-V has helped tremendously with the multitude of one-off programs, allowing us to cut our "install woes" off at the pass. This means no more DLL Hell. No more incompatibilities with patches. No more strange application requirements to package together. And yes, we can run some of those old-as-dirt apps on 64-bit Windows 7.

As you've probably seen, I've put up a few quick posts on our tests with various apps. I'll have some more soon!