In late June of this year I had the honor of pre-recording a VMware Explore session with Todd Dayton and Cris Lau. The session, "Can't Take Your Virtual Desktop To The Cloud? Bring Cloud To It," focuses on ways to enhance on-premises Horizon environments with VMware hosted services. It stems from a recognition that shifting VDI capacity to the cloud is not quite feasible for many customers, at least not yet. As Todd put's it, "VDI really isn’t an application workload itself. It’s a support system for Windows applications that typically can’t or wouldn’t be modernized….These Windows applications aren’t always a great cloud candidate." So, sure, you can stuff any application in a cloud based desktop, but if it's too resource hungry, too latency sensitive, or generates too much ingress/egress traffic there could be problems. Performance or cost savings, or both, can take a serious hit. For this and other reasons lots of customers have decided to keep virtual desktop workloads on-premises. However, all is not lost. There's still plenty to gain from slathering cloud services on top of existing on-premises Horizon environments, shifting management, monitoring, and security to VMware's SaaS offerings.
These VMware hosted services ease the burden of on-premises Horizon management while wrapping modern capabilities around traditional Windows workloads. For day 2 operations the Horizon Control Plane, with features like the Universal Horizon Console, Help Desk Tool, and Assist for Horizon, enables effective support from anywhere in the world. Further, a subset of the Horizon Control Plane called the Cloud Monitoring Service (CMS) offers high level monitoring and reporting against Horizon from the cloud, capabilities recently improved upon through Workspace ONE Intelligence for Horizon. Along with SaaS based support and monitoring there's the ability to enhance remote Horizon access with cloud based Workspace ONE and Carbon Black. These services allow customers to wrap modern capabilities around Horizon sessions while facilitating adoption of 3rd party SaaS like Office 365, Okta, and ServiceNow. The end result is a comprehensive remote access solution, an on-premises Horizon environment augmented with cloud based services to deliver a digital workspace for remote and hybrid workers.
COVID-19 Brings Horizon Remote Access To The Foreground
Horizon is more relevant than ever given the spike in remote and hybrid work driven by the pandemic. For nearly 15 years Horizon had been a relatively niche solution, adopted primarily by segments sensitive to security and regulations. Despite this narrow vertical adoption, over the years Horizon progressively improved at remoting Windows through updates to its clients, agents and the Blast display protocol. This finely tuned capability was an absolute godsend as customers scrambled to accommodate remote access in the early days of the pandemic.
VMware Hosted Services Wrap Comprehensive Security And Management Around Remote Horizon Access
Over half a decade ago Workspace ONE UEM (AirWatch) was already shifting towards predominantly SaaS based adoption. There's certainly exceptions, but generally speaking Workspace ONE UEM is a cloud first solution. The same goes with Workspace ONE Access nowadays, as customers are entitled to a SaaS based tenant through their Horizon Universal subscriptions. Offering a unique integration of identity and endpoint management capabilities, WS1 UEM and Access combined offer amazing enhancements to remote Horizon access like contextual authentication, endpoint management, and SSO. This ideal model for remote and hybrid workers is further enhanced through Workspace ONE Intelligence. Intelligence, along with providing advance reporting capabilities, enables ruthless automation against WS1 UEM environments as well as any 3rd party solutions supporting REST APIs. Finally, Carbon Black, a VMware acquisition from 2019, provides cloud based next-gen antivirus for Windows 10 and macOS. When these VMware hosted services are combined with Horizon you get a solution ideally suited for remote and hybrid workers, a superb remote access Horizon experience augmented with mature cloud based security and management.
These SaaS offerings wrap remote Horizon sessions in modern capabilities like Zero Trust, beefing up security for Windows applications that historically have been less than secure. Further, while these services are a natural fit for remote endpoints, we can also use them to manage virtual desktop images themselves. WS1 UEM can be used to manage persistent VDI and Carbon Black is supported on both Instant Clones and Full Clones. Likewise, WS1 Access can be used to secure SaaS adoption both inside and outside the virtual desktop.
In addition to enabling the adoption of cloud based service providers, there's the option to leverage solutions like Okta, Ping or Azure as identity providers. By configuring these services as trusted IDPs we can leverage their authentication mechanisms for securing Horizon or any other Workspace ONE integrated application. It's a way to beef up the already impressive set of Workspace ONE security capabilities, another way of bringing cloud to the desktop.
Finally, there are two very interesting ways in which Workspace ONE Intelligence facilitates cloud adoption. First, through the Trust Network it can ingest threat events not only from Carbon Black, but other cloud based members of the Trust Network like Lookout. Second, events collected in the Intelligence data lake can trigger actions through automation connectors. Out of the box there's built-in connectors for WS1 UEM, Slack and ServiceNow, however there's an option to create custom connectors for any solution that offers a REST API.
These automation connectors represent an amazing opportunity to fine tune enhancement and support of Horizon environments from 3rd party cloud services. Horizon admins are usually grizzled veterans when it comes to scripting within the desktops. With Intelligence they can now turn their attention to scripting against SaaS, automating REST API calls to 3rd party cloud solutions that are becoming increasingly relevant.
The Horizon Control Plane Services
Horizon Control Plane Services enable day 2 support for on-premises Horizon environments from the cloud. Its Horizon Universal Console provides Horizon administration enterprise wide through a single web based URL while also providing global access to the Help Desk tool. So a support team, wherever they are in the world, without the need for direct network access to Horizon environments, can look up real time session details for any Horizon user. They'll also have the ability to troubleshoot through actions like killing processes or restarting VMs. If necessary there's even an option to remote into a virtual desktop using Workspace ONE Assist for Horizon. Finally, for more high level support and monitoring, "the big picture," there's the Cloud Monitoring Service (CMS). CMS provides health, capacity, and usage metrics for any cloud connected Horizon environment. (For example, if a certificate expires on a Horizon Connection server, this challenge will trickle up to the Horizon Universal Console through CMS.) The Universal Console, the Help Desk tool, Assist for Horizon and CMS all connect to on-premises environments through the Horizon Cloud Connector and clone Worker Node(s) that provide redundancy.
While CMS provides high level insight Workspace ONE Intelligence for Horizon provides additional detail, granularity and customization in terms of monitoring and tracking the health of your on-premises Horizon environments. This provides more in-depth support for day 2 operations while laying the ground work for future Workspace ONE integration with Horizon.
Workspace ONE Intelligence For Horizon
Workspace ONE Intelligence For Horizon was first announced during VMworld 2021 and as of July 28th, 2022 is generally available. This rounds out the overall strategy of porting information from all VMware EUC components into Intelligence. For someone that specializes in both Horizon and Workspace ONE this is welcome news. Intelligence has been offering advanced reporting and automation for WS1 UEM for years now and it's great to see VMware extend this functionality to Horizon.
Even more impressive and overwhelming are the available, "Session Snapshot," attributes:
Though not everyone is ready to move their VDI workloads to the cloud all existing Horizon customers stand to benefit from the adoption of VMware hosted services. These services, already available today, can be layered on top of existing Horizon environments non-disruptively and easily. These are the main takeaways of the explore session, "Can't Take Your Virtual Desktop To The Cloud? Bring Cloud To It." It begins with an amazing introduction from Todd Dayton. He elaborates on the benefits of cloud adoption, challenges with Windows workload migrations to the cloud, and the ideal compromise of shifting Horizon management to the cloud. Then Cris Lau provides an impressive demo of the Horizon Universal Console, Help Desk tool, Assist for Horizon and Intelligence for Horizon. Finally, I wrap things up reviewing ways we can enhance remote Horizon access with cloud based Workspace ONE and Carbon Black.
Also, one final anecdote. Todd pointed out that even if you're confident your virtual desktop workloads will eventually get migrated to the cloud there's absolutely nothing lost if you start off with these cloud based enhancements to your on-premises environment today. It's not like you'd be burning any bridges or painting yourself in a corner. In fact, arguably you'd be stacking the deck in your favor for a successful workload migration by already having cloud based management services configured, adopted and in place. So there's really nothing to loose except the burden of managing on-premises resources.
