Virtualization: The Evolution of Profile Management
Undertaking a Virtual Desktop Infrastructure (VDI) initiative is challenging. It's more akin to an Indiana Jones adventure. From the initial hardware scoping to the final support handoff, the path to a successful VDI implementation is riddled with pitfalls. The difficulty has even bred a new classification of engineers: end-user experience (EUX) engineers — who use advanced critical thinking with a hyper-focus on ensuring the best possible experience.
In the VDI realm, every decision during installation or configuration impacts the end-product. The obvious steps of the user scoping, capacity planning, hardware selection, and high availability come to mind for a project plan. However, one of the often-overlooked aspects of VDI is profile management.
Profile management's goal is a consistent experience in a world where efficiencies dictate users receive a non-persistent environment. A properly selected and configured profile management solution should make the user feel as if they are using a traditional PC.
Profile Mangement Scripts: The Good and the Bad
Savvy admins previously crafted specialized scripts to accomplish their needs. Depending on the task various methods were used to call upon scripts. Sometimes a logon script would be used which initiates at the user's logon to any device in the network. Other times, the script may be called upon explicitly via Citrix to perform some processes prior to launching an application. While these methods were effective for tackling identified issues, they unfortunately proved to have several drawbacks:
- Scripts were often not well documented
- Scripts were often not maintained
- Scripts were fragile
The key points here are that the sole usage of scripts requires a dedicated institutional mindset toward documentation and due diligence to ensure even the smallest of items are not missed. In the ever-changing world that is now IT, the reality is most institutions do not have the level of discipline required to maintain such a reliance on scripts and thus the industry moved on from full-reliance on scripts alone.
The Evolution of Roaming Profiles: Multiple Profiles
The next evolution of profile management came in the form of Microsoft roaming profiles. The concept behind roaming profiles was to take the local profile, store it on a network share, and have it follow the user as they logged onto various devices within the network.
At the time, this solution filled a much-needed gap as roaming profiles opened the door to a consistent user-experience across multiple devices. Being the first solution of its kind, though, it had some glaring issues that many a system administrator can attest to with hours spent tediously combing through user(s) profiles to pinpoint an issue.
The most common complaint with roaming profiles is slower-than-usual logon times. Upon logon to a server or workstation, roaming profiles are designed to copy the pre-existing profile from a network share to the server or workstation being logged onto. Initially, this profile starts off as a minimal profile consisting primarily of the default profile. However, with time it is common to see these profiles bloat to a point at which either the share's physical location or network bandwidth undermine the speed of the logon process. As roaming profiles evolved, features were added to address some of these concerns. Two of the more notable features were mandatory profiles and folder redirection.
Mandatory Profiles. Mandatory profiles prohibit the growth of user profiles by forcing a preconfigured profile to be loaded at logon. Upon logoff, any changes made by the user are essentially dropped.
Folder Redirection. Tackling the issue of network limitations via a different avenue, folder redirection allows for direct access to common folders on the network share housing the user profiles. By doing so, it is no longer necessary to download the directories specified thus greatly reducing the data across the wire at logon.
Why You Need Alternative Profiles Management Solutions
The demand for roaming profiles, despite its many shortcomings, displayed a clear necessity for a solution in this field. As a result, a slew of products rose to the occasion with various solutions breaking into the profile management space. Many were acquired to be included as a bundled package for the "big boys" product lines in the end user experience realm.
The notable players here include Citrix Profile Management (formerly sepagoProfile), VMware Persona, VMware DEM (formerly UEM, formerly Immidio Flex), LiquidwareLabs ProfileUnity, and Ivanti User Workspace Manager (formerly AppSense).
These various solutions address many of the issues brought to light by Microsoft's roaming profiles through an array of means. Let us explore some of these various features.
Agents. Because these solutions are sometimes performing feats of magic that would challenge Gandalf's skills, they inherently need some runes. The workstation agents are typically small in footprint and utilization, but it is noteworthy that they must be dispersed to any machine in which you wish to use the solution.
Streaming/DirectFlex. Aside from outright excluding a directory from syncing, a rather obvious solution to reducing logon times would be to use a just-in-time model where things were only loaded as they were needed. These technologies, with slight variations between the two, allow users to load application configurations only when they are requested, which can greatly reduce logon times.
Active Write Back (AWB). To avoid lost data, prevent corruptions, and decrease logoff times AWB saves files periodically to the network share where the profile resides. This feature is limited to files, and as a result, has some caveats around its use when considering applications that rely on a combination of registry entries and config files.
Mirroring. Typically, most profile solutions use a synchronization feature that prioritizes file modification and additions, but file removal takes a back seat. Over time this can lead to quite a bit of profile bloat. Enabling mirroring on a folder instructs the system to treat a folder as a single object that synchronizes upon logoff. The often-touted use case for this feature is the Internet Explorer cookies directory that without this feature would sprawl in size as changes were not appropriately tracked in the directories index file and cookie crumbs accumulated unnecessarily.
Privilege Elevation. One often-experienced hurdle in a shared environment is that of providing users with the necessary permissions an application requires to run without granting the user God-like administrator rights. Many profile management solutions, to meet this need, now include the capability of privilege elevation. Under specified conditions, say an executable name, hash or directory location where the executable resides, applications are able to run with administrator rights, effectively allowing users to continue around the track unimpeded.
Environment Management. Everyone is familiar with Group Policy Objects, affectionately known around the water cooler as GPOs. It just so happens profile management has grown to the proportions of challenging the use of GPOs. Many of the above-mentioned solutions include what have become known as environment managers, which provide granular control over many of your beloved user configuration options such as logon or logoff tasks, file type associations, shortcuts, mapped drives and printers, and environment variables. The differentiator here is that environment managers provide more options on how the user configurations are implemented by giving you precise control over when, and to whom, they are applied. This is accomplished through a slew of options ranging from user security groups, machine name, IP address, and registry keys.
These features combine to provide an end-user experience that is completely customizable and equipped to meet almost any use-case you can throw at it. Each solution has its pros and cons and that is where a lot of the leg work comes in. Assessing your institution's needs and comparing it against the feature set of each solution early on is key to identifying any gaps prior to deciding on one solution.
Containers are Changing the Game
The rise of virtualization has been a game changer across all IT fields. In terms of profile management, the evolution of virtual disks has ushered in a new transformation known as profile containers. All previous versions of profile management either copied profile files from a remote network share or used the streaming feature mentioned earlier to access the files on-demand.
As the files/folders on these network shares grew in both number and size, this often became problematic. Interestingly enough, file size is less of an issue, and more so the quantity as a folder with 1,000 1KB files will take longer to transfer than its same size-equivalent in a singular 1MB file.
The game changer here is that profile containers utilize virtual disks in the form of .VHD or .VHDX files to store all profile components like files and registry entries on a remote share to be accessed as a remote hard drive by the operating system. When explaining this, I like to use the analogy of a thumb drive that follows you wherever you go that just so happens to store your entire profile.
The key benefit to profile containers is its comprehensiveness and ease of use and setup. To give a comparison: to perform a containers setup would take approximately one hour for an unseasoned administrator. Whereas with one of its predecessors, you're talking a minimum of four hours with countless in-testing and follow-up to get it in that goldilocks zone for your environment.
The evolution of profile management has certainly been an interesting one with numerous vendors making their contributions to the space. With each iteration, the solutions have gotten more comprehensive and easier to implement. With this in mind, it is important to take your time when selecting the optimum solution.
The highlights provided here should offer some background, but for additional guidance remember to review the best practices for each solution’s configuration as often they will provide significant insight into the product's capabilities. As always, best of luck!