Hi,

I'm interested in giving our developers -- scattered all over the world -- a hyper-v VM that they can download and run locally?

A few important requirements:

1. We create the VM image centrally and give it to them so they can download the image and run the VM locally
2. We do NOT want any data to be transferred between the local host and the VM. Not even clipboard where they can copy and paste simple text
3. We also want to set some restrictions to their Internet access from the VM. For example, we want to block all web and FTP sites except for a few approved ones. This is to protect our intellectual property (IP). They can do whatever they want on their local machine but inside the VM, they can only visit a few approved websites.

Is this something I can achieve using the hyper-v client built into Windows 8 and Windo

Can you download a VHD and run it as a VM? - yes.

Can you lockdown the OS for the users? - yes. 

This is core to windows through local or group policies.  Has been around for ages.  I used to lock down kiosks that were service up over Terminal Services this way.

I am not really sure what you are looking for.

There is not an equal to XenClient and its central management of images and lockdowns if that is what you are looking for.

What we're looking for is a controlled environment for our developers to work from.

We want to:

• Provide all the tools they need -- and manage version numbers, etc. so that we have a uniform OS and toolset
• Keep all their work inside the controlled environment so that we can control our intellectual property. This is the primary reason why we want to lock down the OS so that they can't install anything on their own or visit unauthorized web/ftp sites
• Provide an environment that does NOT require constant connectivity to the Internet -- some developers are from countries with less than perfect Internet infrastructure. Having a slow connection should not affect their productivity.

We've tried Moka5 and recently even tried Azure RemoteApp and Amazon Workspaces. It just dawned on me that maybe we could use the built-in Hyper client to achieve our objectives.

Does using the Hyper-V client make sense in this scenario?

It can.

As long as you can produce the locked down image.

However, your clients are still local admins.  And they can still mount the VHD and copy files in and out.  Nothing prevents that, they are local admins after all.  It does not have a management / lockdown layer for this use case.

XenClient is a locked down local hypervisor (the end user is never root, nor can act like it).  It was designed for the security model.  And, it has its Pros and Cons.

It has central image management, lockouts, policies, etc.  And the image runs locally.  Not a cloud streamed desktop.  http://www.citrix.com/products/xenclient/overview.html

It is all in how you really wan to implement it.  And how much you need to 'own' the client device.

Thank you for your response!

We briefly considered Citrix XenClient and VMWare View but had such a horrible experience with both companies. Their mindset is 20th century where they want to sell you a lot of stuff and work through resellers who are only interested in big enterprise accounts. We're not that big yet. When we mentioned about 10 developers, none of them wanted to deal with us.

The developer can be the local admin of the local host and choose to mount or dismount the VHD. What we care about is that they have no admin rights once inside the VM.

Another question is this: is it possible for us to force developers to login using their AD accounts? They can login to their local computers anyway they like but it would be great if we could force them to use our corporate AD accounts to login to their VMs. Our AD and ADFS servers are on Azure. Would it be possible to require AD based login to their VMs?

Inside the VM bitlocker can be used.  This can get around mounting the VHD and getting around the security imposed by the OS running in the VM.

Can you force developers to logon with domain creds?  Sure.  Don't give them any other account in the VM.  If the VM is domain joined and there are no local accounts and in the VM they are not admins they cannot create other accounts in the VM.

The complexity is this: Now they have to be able to talk to your AD at logon time.  And you don't want to expose public ports.  You will want to have some VPN tunnel that your authentication can passthrough.

Or logon once on premise so they can cache the cred.  And eventually that token will age and they will be blocked without being able to refresh it.  That is the negative to being disconnected.

So you end up being back to requiring some level of network connectivity.

As far as your Citrix and VMware experience - that was the sales person(s) you were dealing with.  Frankly MSFT does that as well.  But, frankly, any software company likes to sell software.

There is a lot wound up in here to try and roll this yourself.  I am only saying that with some creativity, it can be done.  But off the shelf packages built to do this will get you farther, faster.

Thanks again Brian. Do you work for Citrix Labs or an independent consultant?

I do work for Citrix Labs.  I am test engineer by title.  I evaluate and prototype, but I don't sell.  I invent and prototype and build integrations (and fix integrations).

Prior to this I was in IT for 10 years.  Many bleeding edge implementations of various things over that time.

I only mention XenClient because I know it was built around the secured VM scenario.  Client Hyper-V was enabled for developers to run VMs on their workstations. VMware specifically added the VM checkout / check in a few years back for offline / mobile users (securing the VM was a later goal).  Each came from different roots and different assumptions. 

I have no experience with Moka5.  And the other two are just remote desktops from the cloud - and you had mentioned poor connectivity and disconnected clients, so I would not expect them to be good fits.

Please ask questions.  I am always as honest as I am able to be to folks.  And I always try to be fair to all the products.

Brian,

i was asking to see if you helped companies like mine in deploying a good solution. My company is a small software company so we're a bunch of IT guys ourselves and we can certainly pull this off but it would be much better to work with a consultant who's already mastered the technology being implemented.

Sorry for the long answer. 

I am not available for that type of engagement.

But yes.  Local machine and user policies in the VM image to lock it down.  Traffic control.  And then securing the data within the VHD itself.  Some type of VPN agent within the OS of the VM.

If the financial institution that I worked for did this today for the few mobile financial advisors, we would probably try to roll it ourselves before investing in a package.

Brian,

I have one more question: in addition to XenClient, what other software do we need to set this up?

XenClient has all of the moving parts.

The client, the synchronizer, the management. It is a client - server system.

Thanks again!

Brian,

One more question:

Does XenClient run on top of the host OS -- as if it's an application -- or does the user boot into the XenClient partition?

Thank you!

XenClient (on the 'users' device) installs on bare metal.  It is a locked down type 1 hypervisor.

XenClient (on the management infrastructure side) installs on Windows Server.