The adoption of new technologies such as desktop virtualization (e.g. Citrix® XenDesktop®, VMware® Horizon ViewTM) has radically changed the desktop landscape making software license compliance and license optimization even more difficult. The challenge of tracking application installation and usage in this environment combined with ever changing, complex or undocumented product use rights puts organizations at risk of being non-compliant.
For many years, desktop virtualization (aka Virtual Desktop Infrastructure (VDI)) has been positioned as a technology that will revolutionize the desktop market; many analysts predicted it would soon take over a significant share of the market. A significant percentage of medium to large organizations is currently in the process or has implemented virtual desktops but its use is restricted to a few case scenarios due to the heavy upfront investment required and the lack of significant return on investment.
As of today, desktop virtualization represents only a few percent of all desktops. However, it is still seen as one of the leading technologies that should take a more significant portion of the market in the coming years. One of the drivers fueling these forecasts is the rapid adoption of mobile devices and Bring Your Own Device (BYOD) policies by organizations. For these devices, the virtual desktop offers end users the flexibility to access their business environment from anywhere, at any time, from almost any device, running any operating system.
The drivers for desktop virtualization, as shown in Figure 1, also include providing the ability for IT to centralize and simplify desktop management and accelerate provisioning of new desktops. In addition, this technology meets most organizations’ security, compliance and regulatory requirements as data and applications are kept securely in the datacenter.
Types of Virtual Desktops
Virtual desktops come in two flavors: persistent and session based (or non-persistent). A persistent virtual machine is a virtual machine that is kept on a disk in the datacenter. Each time the user logs in, the previous session on that virtual machine is resumed. A user can create shortcuts, customize or install additional applications on his or her virtual desktop and all of these changes will be available in future sessions. Persistent virtual machines are usually only assigned to power users or administrators as they consume a large amount of resources—such as storage, in the datacenter.
The most common virtual desktops are session based. A session based virtual machine is assigned from a pool of virtual machines to the end user at log in time and wiped out each time the user logs out. Some vendors offer technical solutions to keep user changes across sessions and can even add applications to the virtual desktop template based on the user profile. In these instances, when the user logs in, the user personalization is added to the virtual desktop template.
In the traditional desktop world, inventory is performed by an agent running within the operating system. Inventory consists of capturing software package data, for instance in Windows environments—from Programs and Features, file data, including contents of specific files, Windows registry or ISO 19770-2 tags. From there, data scrubbing and analysis is performed by an application recognition tool to generate the list of commercial products requiring a license. Additionally, a review of the login history on the device provides clues about its primary user. Typical inventory tools run on a schedule or are executed at log on time. Scheduling is the most commonly used strategy as it is less intrusive: it does not slow down the execution of the operating system when the end user requests access to it. It takes a few minutes for an inventory tool to capture data, the most resource intensive task being to perform a disk scan for executables, DLLs, ISO/IEC 19770-2 tags or specific files.
For persistent virtual desktops, inventory tools are able to capture inventory and usage data the same way as for traditional desktops. On the other hand, session based virtual desktops are challenging for many reasons: there is no practical way to run the inventory on a schedule as the machine is wiped out every time the user logs out and this may happen multiple times a day. The lifespan of a virtual desktop can be extremely short, not leaving enough time for a scheduled or session triggered inventory to complete successfully. Inventory tools identify operating system instances by using various techniques: from analyzing key hardware or software properties (serial number, MAC address, IP address…) or by assigning a unique identifier to each one. A session based virtual desktop gets reused across multiple users or is re-imaged after use. So, it’s difficult to get a unique inventory for each session. This can result in an ever growing, large number of devices that will need to be reconciled. An alternative approach is to set-up a mechanism to group sessions together on a per user basis.
In the virtual desktop environment, templates of virtual machines are created and assigned to users. When a user accesses a session based virtual desktop, a new virtual machine is created from the template assigned to the user and the user roaming profile is attached to that virtual machine to establish his personalized settings from information in the Documents or My Documents folders. This includes his desktop background, shortcuts, favorite links, etc. The relationship between templates and end users is based on access rights granted to end users for specific templates.
Another difficulty is identifying additional applications that have been added to the templates based on user profiles. These applications are usually deployed using application virtualization technologies (e.g. Citrix XenApp or Microsoft App-V). For these, a quick scan at the beginning of the session can be performed or alternatively this information can be extracted from the application virtualization tools themselves.
There are very few discovery and inventory tools that can be used to inventory session based virtual desktops. One approach is to inventory the templates that are used to clone session based virtual desktops. A recommended approach is for a product to perform a quick scan at the beginning of the session and/or utilize the relationship between users and virtual desktop templates to get an inventory of the session based virtual desktop for a particular user.
One of the biggest challenges in session based virtual desktop environments is measuring application usage. There are only a few specialized tools on the market able to perform this task. If these tools are not available, usage data may be limited to information provided by the application virtualization technologies. For instance, Citrix EdgeSight will measure usage for XenApp virtualized applications. It is recommended that the ITAM discovery tool be able to collect usage data from EdgeSight.
A big license management challenge in virtual desktop environments is related to the use of device based licenses (more on this below). The devices considered for licensing in this model are not the virtual desktops running in the datacenter, but the physical endpoint devices used to access them. For instance, if an end user uses both a laptop PC and an iPad to access a virtual desktop environment, two licenses may be needed depending on the product use rights associated with the software product running in the virtual desktop. To maintain license compliance, it is mandatory to capture some key inventory data for these endpoint devices during each virtual desktop session. Only a few inventory tools available today are able to capture this data.
As can be seen, inventorying virtual desktops is not easy. Traditional inventory tools often fall short in this environment. Different strategies and tools are needed to capture the inventory and usage data required to accurately calculate a license position. The license management tool must be able to collect, process and aggregate data from different data sources. Flexera Software’s FlexNet Manager Platform product captures user access rights and usage data for both virtual desktops and virtualized applications to enable an accurate determination of the license position for applications running in these environments.
Licensing in Virtual Desktop Environments
In the desktop world, there are three main types of licenses: concurrent, user and device based. Concurrent is the easiest to handle from a license compliance perspective, as compliance is usually self-managed by the license model and license server—only a certain number of people can check out a license at any one time. Organizations are usually compliant with this license metric, although there can still be issues, particularly when using licenses across different geographical regions, for example. The complications around concurrent licensing come about when trying to determine the optimal number of licenses required to keep denials of service in check, without over spending on software licenses.
In the user license model, a user will usually consume a single license regardless of how the application was accessed: from a local installation, using an application virtualization or virtual desktop technology or any combination of the above. This license model requires the ability to accurately capture usage data and user access rights to software products in these environments (as described above) to accurately calculate a license position. Capturing this data also enables license optimization by removing access to inactive users, for instance.
Device based licenses are the most challenging for two reasons: first, as mentioned above, the device license applies to the device from which the application is accessed, not to the device where the application is running. In a remote desktop virtualization scenario, these are two distinct physical devices: the physical server in the datacenter where the virtual desktop is hosted and running and the devices used to access the virtual desktop. The devices in this last category are the ones counted toward licensing and could be anything from the user’s company owned or personal computer, laptop, iPad, and intelligent mobile device, to an internet café computer. The second reason why device based licenses are challenging for license management is the existence of product use rights that must be applied to these desktop virtual environment configurations.
Among all the software vendors, Microsoft has taken the lead in publishing product use rights for each of its products when used in a virtual desktop environment. On the surface of it, all devices using virtual desktop technology to access a Microsoft software product that is licensed per device must be licensed for this product. However, there are a few exceptions tied to the virtual desktop access and roaming use rights provided by Software Assurance (SA), Virtual Desktop Access (VDA) or Companion Subscription License (CSL) licenses.
Software Assurance is a maintenance program providing many benefits including access to the latest releases. It provides both virtual desktop access and external roaming rights. A Virtual Desktop Access license is a subscription based license intended to cover devices that cannot be covered by Software Assurance such as thin-clients, contractor owned PCs, etc. It only provides virtual desktop access rights for the Microsoft Windows Operating System. A Companion Subscription License can be purchased on top of Software Assurance or a VDA license to cover the Windows OS on Bring Your Own Device (BYOD) devices when people use them within the company premises to access virtual desktops. A single Companion Subscription License covers up to 4 devices.
Organizations should take extra care to manage licensing when deploying a virtual desktop solution. Most of the time, additional licenses or subscriptions must be purchased that add to the cost of the virtual desktop solution itself. Once the virtual desktop solution is deployed, the organization must manage and monitor users, end point devices and deployed software products to maintain license compliance. This is not an easy task and there are still some grey areas such as controlling access from BYOD devices either on company premises or outside of the company.