INDUSTRY INSIGHTS The Definitive Guide to Application Layering Application layering has been validated by Gartner as the best way to deliver, manage, update, and revoke Windows applications in the new world of virtual and cloud workspaces (see Selecting the Right Application Delivery Model for Virtual Desktops, Gartner Research ID G00269228). Gartner s analysis, coupled with rapidly growing customer adoption, has boosted interest in this new application lifecycle management technology. With some vendors bringing new layering solutions to market and others simply rebranding existing products as layering, it s important for IT professionals to understand what layering is and what the essential requirements are. This guide provides that insight. 1
Application Layering Defined Application layering is a relatively new management technology that separates Windows applications from underlying infrastructure so that the apps can be managed once and delivered to any modern end user computing platform without installation. With layering, IT organizations can more cost-effectively transition from physical PCs to Virtual Desktop Infrastructure (VDI) or Remote Desktop Session Hosts (RDSH), onpremises or in the cloud. Layering can also support hybrid application management across all four options VDI, RDSH, on-premises, and cloud - to satisfy different use cases and user requirements. Layering offers many benefits: Lower cost, faster app delivery Massive reduction in the number of gold images that need to be patched Application mobility and portability Easier license compliance Freedom from vendor lock-in Lower cost, more flexible disaster recovery options Technically, a layer is a collection of Windows files and registry keys that are captured by a standard software installation procedure and stored as a virtual disk (e.g. VMDK or VHDX). When a layer is assigned to a virtual machine, the virtual disk representing the layer is attached, delivering the application as if was locally installed. File system and registry virtualization technology merges all assigned layers together. With all apps broken out and delivered as modular layers, a single Windows gold image can be used as the basis for all virtual desktops and session hosts. Solutions That Are Not Layering Other application delivery technologies are sometimes included in the layering category. Here is why they are excluded from this guide: Figure 1: Layers are virtual disks that can represent the Windows OS itself, individual applications, and persistent information. - Application Virtualization. Designed to solve app/os conflict and compatibility issues, application virtualization uses process isolation to package apps in protective bubbles, hiding them from Windows and other apps. While it serves this purpose well, it was never intended to be used for enterprise-wide, cross-platform application deployment and management. Unlike layered apps, virtualized apps do not appear in Add/Remove programs, their files don t show up in the file system, and their registry keys aren t visible in Regedit. As a result, app compatibility and interoperability are limited. Packaging is also complex and time-consuming, requiring advanced IT expertise. - Agent-Based Software Distribution. Traditional PC management tools have been an IT staple for decades. Agents on every desktop run silent installations so IT administrators don t have to 1
physically touch every machine and manually execute the same procedure. While this class of tools has been valuable in distributed PC environments, they overwhelm the shared server and storage resources in cloud-hosted application deployments due to the repetitive re-installs that are required on every virtual machine. They also require advanced IT packaging skillsets. Lastly, they generate floods of service tickets when the silent installations don t work as expected due to differing machine configurations. - Image Masking. This new class of tools requires every possible application to be installed into a single gold image. It then uses masking technology to hide apps, presenting only the ones that users are allowed to see. Many IT organizations quickly dismiss this approach due to the sheer size of the image. Any change to any app requires cracking open the massive image. This approach also introduces licensing concerns, since apps that are present on a machine must be licensed even if they are not visible to the user. Essential Layering Requirements Now that layering is defined, let s look at the essential requirements of an effective layering solution. These requirements are summarized at the end of this guide so you can see them all in one table. 1. Full Application Compatibility One of the reasons that traditional application virtualization solutions have had limited success is their inability to deliver all apps. Application virtualization technology runs in the Windows guest after Windows itself has been loaded, and uses process isolation to separate apps from the OS and all other apps. Apps with drivers and early-start services (e.g. anti-virus, Acrobat, WinRAR, printers, scanners, USB devices) and apps with dependencies on Windows components (e.g. Internet Explorer) are incompatible with this approach. Complex sequencing procedures and workarounds to deal with the side effects of process isolation which can consume days of even the most experienced administrator s time also prevent many apps from being successfully virtualized. Application layering can offer much greater application compatibility because it uses file system and registry virtualization technology instead of process isolation technology. The layering process is also much simpler just a standard install meaning anyone in IT who has a few minutes can layer an app. Layering solutions designed using a full-stack, belowthe-os architecture achieve near-100% app compatibility by providing both In-Guest layering - the ability to mount a virtual disk directly into the Windows OS - and Out-of-Band layering the ability to layer the Windows OS itself and apps into full C: images before a machine boots. Out-of-band layering is what enables the delivery of Figure 2: Look for layering solutions that can deliver any application to minimize the number of apps that must be bundled with your Windows images. 2
apps with boot-time services and drivers. Also, by layering Windows itself, it can provide the app/os conflict resolution necessary to deliver OS-dependent apps such as Internet Explorer. This ability to layer all apps apart from the Windows OS means that one clean OS layer can be used for all use cases, making Patch Tuesdays much easier. Layering solutions that use a partial stack, above-the-os approach only support In-Guest layering, and thus have many of the same limitations as traditional app virtualization. They cannot deliver boot-time apps, OSdependent apps, apps that need to stay running when users are logged out, or Windows itself. The workaround is to deliver unsupported apps as part of the Windows image. However, this re-introduces the limited app compatibility and Windows image sprawl that causes so many problems with traditional app virtualization. If you don t want to patch extra images and you need to deliver a broad spectrum of applications, including those with boot-time drivers and OS dependencies such as Internet Explorer, PDF writers, speech recognition and dictation solutions, printers, scanners, antivirus, single sign on, video surveillance, etc., make sure you test whether your layering solution can deliver all of them. 2. Layer Interoperability The process isolation approach used by traditional application virtualization solutions was designed to minimize conflicts between the OS and apps. This also prevents application interoperability. The only recourse is to sequence apps or plugins that need to work together in the same isolation bubble. Some solutions also permit poking holes in bubbles to allow for cross-communication. However, these workarounds are too complex for many IT organizations, who simply want apps to work together the way users expect. Application layering solutions can solve the interoperability challenge. By using file system and registry virtualization technology instead of process isolation technology, layered apps have the look and feel of a local install. Layering solutions with advanced cross-layer merge technology offer full application interoperability. These solutions enable IT to layer any app or plug-in separately, assign the layers in any order or combination, and have the apps interoperate the same as if they were natively installed. Layering solutions that do not have advanced merge technology will have issues when applications and services that need to interoperate are packaged in separate layers..net applications, plug-ins, and drivers that use the Windows driver store are common examples. Instead of being able to manage apps and plug-ins in their own clean layers, IT will have to combine them in the same layer. App delivery times will increase as IT professionals need to anticipate what apps need to be packaged together. The same app will have to appear in multiple layer stacks to account for multiple use cases. The ensuing layer sprawl will negate the value of using layers to achieve a single point of patch and control. Figure 3: Layering solutions that offer cross-layer merging ensure app interoperability so you can avoid layer duplication and ensure a single point of patch and control 3
If you need to deliver apps and plug-ins that have to interoperate and you want to avoid patching inefficiencies, make sure you test how well your layering solution works with apps and plug-ins in their own separate layers. Then test whether they behave as expected when users try to use them together. 3. Flexible Layer Delivery Options Once you have your apps layered, the next consideration is how and when they will be delivered. If you want to deliver layers to specific machines, look for solutions that support machine-based assignment. If you want to deliver apps to specific users independent of the machine they are using, look for solutions that support user-based assignment. If you have use cases that require delivery of apps into running virtual machines (VMs) without a reboot, look for solutions that support on-demand layer delivery. On-demand delivery, also known as hot-add or real-time layering, is particularly useful when managing apps for remote desktop session host (RDSH) solutions such as Citrix XenApp or Microsoft RemoteApp. A single session host typically supports many users, so having to reboot the host to make a layer change take effect will create downtime for all users connected to that host. Delivering layers on-demand will prevent this downtime. On-demand delivery coupled with user-based layer assignment is especially relevant in VDI environments where only a subset of users is accessing their VMs at any one time. Instead of having to allocate a full VM for every user, you can use a floating pool that has just enough VMs to support the maximum number of users logging on at the same time. By dynamically attaching application and personalization layers at login using each user s entitlements, these non-persistent desktops will look and feel just like persistent desktops, while utilizing significantly less resource. 4. Persistent Layers As the previous section indicates, effective layering is not just about applications. Application and OS layers are controlled by IT, so they are typically stored as read-only virtual disks that can be attached to, and shared by, many VMs. However, in VDI environments where you want to make nonpersistent desktops look like persistent desktops, or in RDSH (Citrix XenApp, Microsoft RemoteApp) environments where you want to make shared sessions look like persistent desktops, you ll also need writable persistent layers. Figure 4: Layering solutions that offer real-time, ondemand delivery of application and user layers conserve resources and minimize downtime Persistent layers are writable virtual disks that capture all user customizations. These layers should Figure 5: Layering solutions that support persistent layers enable shared pools of VMs or RDSH sessions to be personalized with each user s settings, data, and userinstalled apps, in addition to the app layers assigned by IT 4
be able to save all user settings typically stored in roaming profiles, as well as any data that is saved locally while the user is logged in and any user-installed applications and plug-ins. By attaching a user s persistent layer at login along with any assigned app layers, users will always have a desktop that looks like their own, even if they are really using a pool of shared VMs or a shared multi-user session. If VDI and RDSH are your target platforms for layering, make sure you choose a layering solution that offers persistent layers in addition to application layers. 5. Layer Once for Any Platform As enterprises modernize their end user computing environments, they are adopting multiple platforms. It s now common to see RDSH and VDI deployments on multiple hypervisors within the same datacenter. Cloud-hosted RDSH and VDI options are adding even more variety. IT organizations find themselves packaging the same apps over and over again for these different platforms using different toolsets. This is costly and inefficient, limits business agility, and creates vendor lock-in. Layering solutions that can deliver the same layers to any platform solve these problems. The package-once, deliver anywhere flexibility offered by open layering solutions enables IT to focus on use cases instead of infrastructure. Figure 6: Open layering solutions that can deliver the same layers to any virtual infrastructure or cloud reduce application management costs and maximize business agility The ability to deliver layers anywhere also offers tremendous flexibility and affordability when it comes to disaster recovery. Layers can be quickly delivered to desktops or sessions in the cloud if users are unable to access on-premises infrastructure. If you have a mix of different client computing platforms, or want to keep your options open as you consider moving workloads to the cloud, make sure you select a layering solution that will support all of the platforms you have today, and may have in the future. 5
6. Lifecycle Management Delivering applications to target systems is one function of layering. But it doesn t stop there. How do you undo a bad patch that caused applications to break? How do you keep track of layer changes when you have a large IT team? How can you tell which machines and users have been assigned certain apps for license audits? How do you efficiently handle break/fix when a user customization causes a DLL conflict? Layering solutions that offer application lifecycle management capabilities can accelerate software deployment, upgrades, patching, break/fix, and retirement. They can track all changes to OS, application and persistent layers, and provide full audit records and version management. Administrators can undo patching mistakes simply by rolling session hosts or desktops back to an earlier version of any layer. Figure 7: Layer lifecycle management makes it as easy to update, revoke, and audit changes to applications as initial delivery If you want to be able to rollback updates as easily as you roll them out and track all changes to your software inventory, look for layering solutions that provide complete lifecycle management capabilities. 6
Comparison Table This table summarizes the requirements outlined in this guide. Compare how other layering solutions stack up against Unidesk, the original inventor of layering and the industry leader in open layering solutions. Other Solutions Application Compatibility 99%+ In-Guest Layering Out-of-Band Layering Layer Interoperability Cross-Layer Merge OS/App Conflict Resolution Flexible Layer Delivery Options On-Demand Delivery Per Machine Assignment Per User Assignment Persistent (Writable) Layers VDI RDSH Open, Any Platform Support On-Premises (Hypervisor) Cloud VDI RDSH Lifecycle Management VMware ESXi, Microsoft Hyper-V now; Citrix XenServer, Nutanix Acropolis coming Azure now; Amazon, Google coming Citrix XenDesktop, Microsoft VDI, VMware Horizon now Citrix XenApp, Microsoft RemoteApp, Azure RemoteApp now 7
Conclusion Layering is a sophisticated technology, with many innovations needed to make the end user experience seamless and the IT administrative process simple. IT professionals looking to overcome the challenges of application delivery and image management in modern end user workspaces should consider the requirements outlined in this guide when considering or evaluating a layering solution. About Unidesk Unidesk is the leader in management software for mobilizing Windows apps. With Unidesk layering technology, IT organizations manage applications once across session hosts and virtual desktops on any cloud with unparalleled packaging simplicity and 99% application compatibility. Unidesk s hybrid management solution supports leading cloud platforms including Microsoft Hyper-V, Microsoft Azure and VMware vsphere; and integrates with leading desktop and application virtualization solutions including Citrix XenApp/XenDesktop, Microsoft VDI/RDSH and VMware Horizon. Unidesk is a privately held company headquartered in Marlborough, Mass., with 1,300 customers and solution partners around the world. Visit www.unidesk.com to learn more. Unidesk Corporation, 313 Boston Post Road West, Marlborough, MA 01752 USA Tel 508.573.7800 www.unidesk.com Copyright 8 2016 Unidesk Corp. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Unidesk is a registered trademark of Unidesk Corp. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Item No: UNI-WP-LAYER-01-16