Managing the “Last Mile” of SWV applications: The Settings (using PolicyPak)
When Erik Hughes, the Principal Product Manager on SWV asked me to write an article on our PolicyPak utility for SWV, I wasn’t exactly sure how to start.
As a Group Policy MVP I often think about the big picture problems around desktop management. But as the founder of PolicyPak software, I make it my job to solve these problems.
Recently, I created a video showing SWV and our product PolicyPak working together. That video is found at http://www.policypak.com/integration/policypak-symantec.html and this article talks about what that video means to you. (You can watch the video now, or wait until the end.)
We all know that Symantec Workspace Virtualization offers today’s network administrator an ideal way to deliver applications to the end user through the use of virtual application layers. But I think it’s interesting to talk about what happens after SWS / SWV has delivered the application.
Once the applications are delivered, the next challenges arise:
- How do you update configurations once apps are “out there?”
- How can you prevent users from editing and working around your desired settings?
- How can you ensure that important IT and security settings are guaranteed on your target machines?
If users can still view and alter your desired settings with SWV apps, this could mean problems from misconfigured applications, to compromised desktop security.
The fact is, SWV does a fantastic job of eliminating conflicts between your applications and the base operating system.
Using Group Policy would seem like the natural “additional component” to manage applications running with SWV. Turns out, Group Policy is “close but no cigar” to manage applications themselves. Group Policy is great for controlling items that Microsoft ships in the box. As a Group Policy MVP I think Group Policy is the bees-knees. But it misses the mark for managing most applications:
- Group Policy cannot lock down third party applications.
- GPO settings based around ADM/ADMX Group Policy Templates: these are delivered only one time with no remediation when users invariably try to work around your settings.
- GPO settings based around Group Policy Preferences: these are redelivered, but only when users are online and can see a DC.
- GPOs can only deliver basic registry settings or .INI settings. Group Policy cannot deliver complex registry settings (reg Binary) or settings to complex applications like FireFox, Java, OpenOffice, Flash, and tons of other applications.
- Group Policy ADM and ADMX templates tattoos settings (and don’t revert) when a GPO no longer applies
- Group Policy Preferences actually nukes (deletes) registry settings in applications for GPOs that no longer apply
If you’re very geeky and want a deeper dive into precisely why Group Policy cannot do these things, I detail these issues in a whitepaper entitled “What most Group Policy (and Desktop Admins) don’t know about application management” (which can be downloaded for free at http://www.policypak.com/itwhitepapers).
You chose Symantec SWV because it makes application deployment easy and efficient. It makes deployment and co-existence easier because it isolates and virtualizes the application from the physical environment. Now you need a way to abstract the configuration settings from your users and manage those dynamically. If a user changes job roles, have the configuration change with the user and ensure that the exact settings you want are deployed and managed the right way.
PolicyPak is an add-on which works with the SWV agent. PolicyPak enables you to deliver, set, lock down, and remediate the settings within any real or layered application.
It’s a great one-two combo: Deliver your apps using Symantec SWV, manage and lockdown your applications’ settings using PolicyPak.
PolicyPak can deliver its settings using Group Policy or, alternatively, you can use any type of management software systems such as Altiris, SCCM, LanDesk, KACE, Windows Intune and so on.
PolicyPak has pre-configured Paks for more than 50 software applications such as Lync, Java, FireFox and Flash, Office, OpenOffice and on and on. In fact, the list of supported applications is growing all the time. But, what’s more, is that PolicyPak even comes with the PolicyPak Design Studio which allows you to create PolicyPak for just about any application including home grown apps.
With over 50% of the workforce as roaming and/or laptop users, you need to ensure consistency and security for your application settings. PolicyPak has a variety of superpowers to ensure that “What you SET is what they GET”:
- PolicyPak provides true UI Lockdown using PolicyPak AppLock™ to remove settings from prying eyes
- PolicyPak will constantly remediate any settings values -- every time the application is run (whether your users are online or offline.)
- PolicyPak can perform “PolicyPak ACL Lockdown™” which can literally prevent users from changing settings inside your application. For a short video just on this feature (which works with SWV but not shown specifically with SWV) check out this video: http://youtu.be/hJx8a1VxjW0
- PolicyPak delivers more than just mere registry or .INI settings. PolicyPak can deliver settings to over a dozen different application storage types like XML, .JS and others, targeting about 90% of the desktop applications in existence.
So, how can you see for yourself how PolicyPak truly augments and completes your SWV solution?
Again, our little PolicyPak and SWS/SWV demonstration video is found at at http://www.policypak.com/integration/policypak-symantec.html.
But, if you’re ready to check it out for yourself, PolicyPak has a full, free trial mode which can enable a full end-to-end test drive to see if it’s right for you and your goals. It costs nothing to try out and most administrators can have PolicyPak fully deployed to an OU or their entire domain in under an hour (and backing out is as simple as removing and MSI file).
Use Symantec SWV to deploy your application in a consistent and predictable matter.
Use PolicyPak with Symantec SWV to ensure that consistency of your applications settings.
Special thanks to Erik Hughes, Andy Nicholson and Nirmal Rajarathnam, and the rest of the Symantec SWS/SWV team for assistance and encouraging me to write this article.
Jeremy Moskowitz, Group Policy MVP Founder of PolicyPak Software