Get best of the week

How to quickly and safely organize the remote work of employees? We talk about different approaches: with VDI and not only

The business has long been faced with the need to conveniently and safely organize the remote work of its employees. But if earlier this task could be regularly postponed and continued to ponder, then now there is no more time: "remote" is the main trend of spring 2020 throughout the world. In this material we would like to share our experience in organizing the remote work of employees, because we have been closely engaged in this issue for almost 25 years.

The remote work format is absolutely familiar to any Dell Technologies employee, and our Russian offices are no exception in this regard. Specifically, today we would like to concentrate on the options for solving the problem using the available equipment, that is, operational solutions without using VDI, and deploying VDI as soon as possible. Under the cut, we will give detailed answers to four questions that our current and potential customers have most often asked recently.



Is it possible with minimal effort to make employees work from home in the same way as in the office?


Can. To do this, an employee who is switching to "remote" will need a laptop with installed programs that he usually uses, and a set of groupware like Microsoft Teams, Skype for Business, possibly Zoom, and so on. This will allow you to communicate and exchange information with your team in much the same way as in the office. At the same time, one more thing is absolutely necessary: ā€‹ā€‹a VPN client. There are a lot of options, and the choice of a specific one will obviously be dictated by instructions from the information security department of your company.

Since the employeeā€™s device will be in his home, and not in the office, it is necessary to lay the risk that a person from outside can get access to him. Therefore, multi-factor authentication should be used: smart cards, fingerprint scanner, tokens or one-time passwords. We must not forget about security software: antiviruses and means of preventing information leakage.

But the most important thing is the remote control software. It is it that will allow the specialists of the IT department of your company to configure the PC of employees located outside the local network. Those customers who use Dell Technologies corporate computers (in particular, Latitude and OptiPlex series) are in a privileged position in this regard. The fact is that they are preinstalled with the Dell Client Command Suite, which gives tangible benefits in the current situation.

In fact, this is a KVM solution, the functionality of which can be used even if the device on which it is installed is located outside the enterprise. You can do a lot of things with it: deploy and configure the device, install drivers, monitor the status and even update the BIOS. Here, however, there is a subtle point: you need support for vPro technology, and this depends on the specific configuration and the processor used in the computer.

If there is such support, then using the Deploy and Configure modules, the system administrator can remotely prepare the device for issuing to the user: remotely install the assemblies of the necessary drivers and firmware updates. The Monitor module allows you to monitor the hardware status of the entire fleet of equipment in the hands of remote employees.

Corporate computers are not enough. How to organize a "remote" on the devices of the employees themselves?


And it is also possible. Here, for our part, we can recommend other special software - Workspace ONE from VMware. It consists of three parts. vIDM is responsible for identifying users and implementing single sign-on technology, and this happens regardless of whether the device is located on a corporate or external network.

The next part is managing mobile devices. If you used the program before, then surely remember it by the name AirWatch. To date, the functionality has expanded, and existing capabilities have spread from mobile devices to any PC with Windows 10 on board. Here you can distribute device configuration policies, restrict them in some capabilities, force the installation or removal of software, monitor the geolocation and - this is important - you can remotely clean the device if it became clear that it was stolen or compromised.



And this is only the tip of the iceberg, there are much more opportunities. The most important thing to remember is that all this works not only on the local corporate network, but also, so to speak, for Internet. And a little remark about the soundness of software: all this has been polished for years, and now in Workspace ONE, for example, even the battery consumption of a remote device is taken into account. That is, your employee, who works without connecting to the power grid, will certainly not be left without a computer due to the fact that the actions that the administrator appointed suddenly ā€œeaten upā€ all the remaining charge during some updates.

The third part of Workspace ONE is VMware Horizon, and this is not just a solution for accessing desktops within the corporate network, but a full-fledged VDI platform. There is a lot of functionality associated specifically with working with data center resources. There is both the ability to work on a local network (in this case, the servers can be deployed to manage devices that are in the hands of remote employees), and as part of a cloud solution. Both options are available in Russia, the solution is very large-scale and comprehensive.

But within the framework of today's topic, we dwell on the fact that it can be used to connect employees who have stationary PCs, laptops, thin clients, or even iOS / Android tablets to the server infrastructure.



As an example, in general terms, we will talk about one of the living examples of creating a secure workplace infrastructure for remote employees using Workspace ONE. With this approach, a kind of ā€œapplication storeā€ will appear on the side of the user, in which he will be able to download the necessary programs for work, while for each of them you can organize a separate VPN channel. At the same time, when choosing the Gmail application, say, in Android, the user will have two icons of the email client: his personal mail and a separate corporate account, which before opening will establish a secure connection. Data exchange between applications from the user's personal zone and the corporate zone is not possible.

Of course, there is also the opportunity to insure yourself in case of loss of the device: the administrator can remotely clean the system. An important nuance: the personal data of the user is not deleted. And in general, the functionality is very broad: automatic configuration, encryption, prohibition of the storage of personal data and so on. Of course, before you deploy this whole thing on the end-userā€™s device, the gadget must be checked for compliance with corporate policies. If suddenly something in the firmware changes after checking compliance, then a ban on working with data can be applied automatically or the process of forced updating can start.

Do we use solutions based on Workspace ONEin your own work? Of course yes. This is what the very ā€œapplication storeā€ looks like on the working device of one of our employees, which now, like many of us, is working remotely.



VDI is complicated, expensive and time consuming. Is it possible to somehow organize it easier, faster and cheaper?


How do most people imagine VDI? How many virtual machines with different operating systems that run in the data center. Using remote access from a client device, a user gets access to them and interacts with applications running on a virtual machine. In terms of systems, it basically boils down to Windows and Linux.

The main advantage of all this is security: data absolutely always remains in the data center, it never goes beyond it and does not end up in users' computers. The remote employee on his screen only sees what is happening in the virtual machine, and cannot even copy anything to his machine. Of course, if the system administrator does not allow this. At the same time, this can be considered as a limitation when working with VDI.

The second advantage is handling. Updating applications and operating system versions, applying various policies to virtual machines is centralized and very fast. More importantly, the virtual machine is not deployed on each PC separately, but is cloned from images: thousands of them can be created in literally minutes. And this is the third advantage of VDI.

The main disadvantage of VDI is that it is a difficult solution: it consists of a large number of components. Many customers believe that using it in the current situation to quickly deploy home jobs is impractical and expensive. Is it so?

Consider the situation using VMware Horizon as an example. Of course, there are other, no less effective options, but we use exactly this approach. What does the whole structure consist of in a simplified schematic form? First of all, this is the client: it can be anything - Windows, Linux, Mac OS, and the user experience in most cases coincides on different devices. If it is difficult for an employee to install a VDI client on their own, then you can work through a browser. In this case, access to your personal virtual machine turns into a link and a login, password and, possibly, some additional data.



The next component is VMware Unified Access Gateway. This is a "watchman" who, from the point of view of an external user, looks like a web server. It is located in the so-called "demilitarized zone" of the enterprise and hides the local network from the Internet. That is, any person outside the local network sees only UAG.

Connection Server is a connection service that is responsible for which one or another user will be connected to which virtual machine, terminal application server or physical computer. What exactly it will be connected to - the administrator sets, the user himself can not affect the settings.

What can I access with VMware Horizon? For example, to the Windows desktop of a remote machine. This can be Windows 10, Windows 7, or a single Windows Server machine. The latter is relevant if there is a task to save on licenses, but we will not dwell on this today. The most low-cost deployment option, of course, is Linux virtual machines. You can also save on server hardware by setting up terminal access. At the moment, on one physical server, on average, you can run more than a hundred virtual machines and about 400-500 terminal access sessions.



And in all this there is one ā€œbutā€, which is often forgotten when they talk about VDI. The fact is that the technology allows you to access not only virtual machines, but also physical PCs. Yes, in this way, on which employees worked in the office before the ā€œworld of remote otdelenkiā€. In order to do this, you need to install the Horizon Agent on the computer in the office, and then configure remote access to it as a virtual machine through the connection server and UAG. If the administrator did not allow this, then no one except the user himself will see this PC. And all other employees will also see only their personal cars from the office, which have switched to the status of ā€œvirtualā€ ones.

About one of the options for such access to a PC, we shot a beautiful video. In this case, the computer is a Dell Precision workstation with a Teradici card in a rack-mount form factor: it is located in the server room, and an employee gets access to it from a thin client. Please note that the user experience is almost the same as if you work with the same graphic station without VDI, and we are talking about a very resource-intensive task - 3D-modeling. It turns out that there is practically no difference for the user, and the organization benefits: it improves manageability and increases security.


You can connect to real and virtual machines running VMware Horizon using the protocols VMware Blast Extreme, Teradici PCoIP, RDP, Remote FX and HTML5, that is, access through the browser is also possible. If you look at all this ā€œoutsideā€, then UAG will show only the 443rd port, that is, standard encrypted HTTP. Thus, the solution restricts access to the local network to one remote access port; you do not need to access the VPN.



Which device to choose for access via VDI, if it will be located at home outside the corporate network?


The most reliable, in our opinion, option is a thin client. Its main advantages: safety, controllability, low cost. The downside is that even these gadgets need to be bought, which is why work will be suspended for some time.

You can take an existing corporate laptop or buy additional machines. The plus here is that it can be used for work after the pandemic, including for replacing those PCs that have already worked out their lifespan. The minuses are even more significant: laptops also need to be bought, they are more expensive, and most importantly - you need to deploy an external control system on them. For the ā€œhome-basedā€ option, this is very inconvenient and long.

Another obvious option is the employeeā€™s home PC, but, we believe, everyone understands what this threatens. If an employee agrees to use it for work, then itā€™s quick, cheap, so - we found out - some companies are now going this way. Only now everything works until someone who has access to this PC also appears: a child, a husband or a ā€œcomputer masterā€. They voluntarily or involuntarily make changes to the software or even hardware, and then in most cases access to the corporate network immediately ceases. And the problem cannot be eliminated by telephone - you need to send a specialist.

The next option is mobile devices. In our opinion, this is also an acceptable option if they are under the control of the Workspace ONE platform.that we talked about above. But here, too, have their disadvantages. Firstly, many employees are afraid to give their mobile gadgets under the control of the corporation, and they can be understood in this effort. Secondly, itā€™s hard to work productively on tablets, and connecting peripherals is not always possible.

In this regard, an additional question arises: is it possible to turn an existing PC into a thin client?

Let's go back a bit from afar. What is a thin client? This is a small specialized computer with a general-purpose OS or a specialized OS that is customized to work in VDI mode. VDI clients, additional management software are installed on it, and it is ready to perform only its most specific task, in addition to it, it can not do anything. The choice is huge: by price, by productivity, by form factor. Today, many are redesigning office thin clients and distributing them to employees who have switched to the remote ā€™site.

Managing a thin client is very simple, you can do it very quickly. Such devices, by default, have much less software and hardware variations than regular PCs. In addition, the software for them is as automated as possible, sometimes it does not require any participation on the part of the end user; it is easily mastered even by the company's junior IT staff.



What can we offer here for our part? We have Wyse ThinOS, and it is she who distinguishes Dell Technologies thin clients from competitors' solutions. The development is very inveterate - at the moment she is about 17 years old. So the system went through a huge number of improvements, it is debugged as much as possible and today has a minimum size of 30 MB. ThinOS thin client update time on board takes about 30 seconds via a fast communication channel, and in the case of bad communication channels it takes minutes, but not days, to compare with remote installation of a Windows image.

ThinOS does not allow you to install any third-party software, the file system of the data warehouse is not available in it, and thanks to this, the thin client is not exposed at all to any virus attacks or hacking attempts. If you play a little ā€œmagicā€, then from a network point of view, a thin client can generally be turned into a ā€œblack boxā€: even if someone decides to attack it, it simply wonā€™t understand what it is dealing with. At the same time, there is a means of optimizing not only ordinary applications, but also multimedia, working with Skype for Business, Jabber, Cisco conferencing, and when working with heavy 3D applications like Autodesk, Solidworks or Siemens NX, hardware traffic decoding is supported. So even designers can work from home.

In a word, in terms of the level of closure, ThinOS brings the device on which it is installed closer to the hardware zero client parameters, but at the same time allows working with VMware Horizon , Citrix, VDI from Microsoft and other vendors. The system supports four remote access protocols (VMware Blast Extreme, PCoIP, HDX 14, RDP / Remote FX 10) and allows you to connect to various types of VPN servers.

Naturally, ThinOS supports management by Wyse Management Suite. And, answering the question at the beginning of this block, yes: we can convert a regular PC into a thin client. Our solution is called Wyse Converter for PCs. This is software that is suitable for regular Windows 7/10, and with support for the Russian version, it is provided by subscription, and this is important: when the current situation resolves, and most employees return to their offices, it can simply not be extended. Delivery is carried out electronically, so there is no question of introducing any weeks, the bill will go on for a maximum of days.

The main task of this program is to turn the selected PC into the Wyse Software Thin Client - the Wyse software client with the Windows operating system. All peripheral devices for which drivers are already installed on the machine will continue to work. If necessary, all possible VPN clients will be supported, but the main thing is that such a PC can be managed using Wyse Management Suite. And it will be difficult to disable it, because after installation, the system is actually blocked on a zero client state. You can also return everything back to its original state using the same software.

The Wyse Management Suite settings allow you to automate the process of connecting to VDI, that is, transfer the address of the connection server, install the necessary client ā€” say, VMware Horizon or Citrix Workspace Up, and run it on this PC. It is almost impossible to accidentally exit VDI mode, since there are settings that restart the VDI client after the user presses the power button. And all this can be tried in advance in the demo mode.

Is it possible to make a solution for remote work without VDI, but manageable and safe?


We also answer this question in the affirmative, but adjusted for certain conditions that must be strictly observed. First of all, you need to use a thin client with Wyse ThinOS - this is a matter of security and ease of management. A workplace on such a basis simply does not physically allow anyone to do anything that is not provided for by the administrator. And only one thing is required of him: to connect via VPN and start a remote communication session with an office PC. This approach eliminates the need to install the Horizon Agent or another VDI agent on the office PC. The next condition is to manage all of this through the Wyse Management Suite Cloud.



Why don't we offer thin clients on Windows? Because VPN is the opening of a very large channel inside the enterprise. At this risk level, on our side, from our point of view, there should be the most secure device that will not allow doing anything extra.

Only two protocols are offered for connection, because they can be used directly with office PCs without using the VDI infrastructure: these are RDP / Remote FX and PCoIP.

Speaking about management, it is important to emphasize that Wyse Management Suite exists in both free and paid versions. Free can only be deployed on your servers. Since the task that we solve as part of the answer to the question is reduced to a minimum of actions with maximum security. And as part of the free version, problems that will take a lot of your information security staff are inevitable. However, we also have the Wyse Management Suite Cloud, a cloud solution that has been around for quite some time - now it manages more than a million jobs.



It cannot be bought directly, but with the paid version of Wyse Management Suite Pro you get Cloud for free. Licenses are issued in the same personal account that is used to manage devices. To fine-tune the configuration, you can use WMS deployed inside the network, and then simply transfer this configuration of thin clients to the cloud.

An important advantage of Wyse Management Suite Pro and Cloud in combination with Dell Technologies thin clients is not only the ability to control the OS itself, applications and settings, but also BIOS management. Thus, external access to the PC is completely excluded by such methods as booting from an external device or changing administrative roles.

This is what the browser-based management console looks like. In the case of WMS Pro and Cloud, for the convenience of administrators, you can also deploy a mobile application.

And perhaps this is all we wanted to tell today. If you have any questions on the topic, then we will try to answer in the comments. And if suddenly after reading the material you had a desire to try or implement some of the described solutions, we are waiting for you in private messages - we will quickly connect with the responsible people and they will organize everything. Thank you for the attention!

More articles:


All Articles