While previous Scense versions supported the Bring Your Own Device (BYOD) scenario, Scense 8 extends this functionality significantly. It’s because of the new support for internet protocols that connecting to a Scense back-end from the internet has become a lot easier, and now Scense 8 even allows you to install software over the internet. Scense 8 recently entered the Beta stage and has been made available to a selected audience.
Bring Your Own Device
Slowly but surely it seems that more and more administrators are getting used to the idea of users bringing their own computers. Especially schools are encouraging students to use their own laptop, or at least making plans for it. Of course there are several big advantages when users/students are bringing their own stuff, like a reduced number of computers that should be bought and managed by the company or school. They bring their own computer, so they can manage it as well… Disadvantages seem to involve software distribution, stability and license management.
How can Scense 8 make a difference?
As opposed to the way previous Scense versions made it possible to do ‘on premises’ BYOD, Scense 8 will be able to service BYOD remotely over the internet, including software distribution. Scense client-server communication is done using HTTP, and for software distribution the administrator can choose from 3 supported protocols: HTTP, FTP and WebDAV. This means that after starting the Scense Client most of the Scense functionality will also be available remotely and administrators can keep managing the applications even after they’re installed on the user’s computer.
Scense supports several flavors of application virtualization solutions, and Scense 8 makes sure these applications are supported on BYOD as well. Application virtualization can extend the software reliability and ‘security’ even more. Especially Microsoft App-V and Symantec SWV can be configured in a way that Corporate or Campus applications can only be started using Scense. This creates an extra obstacle for piracy, because; if the application doesn’t seem to be there, it’s hard to copy it.
How easy is it to manage all this and make sure it remains safe? To allow a BYOD scenario, including software delivery over the internet, several steps need to be taken.
- First we need to setup our Scense system and enroll some applications
- Next we need to make the Scense 8 back-end available over the internet
- Finally we need to install the client software on a non-domain computer
Installing and configuring the Scense system should be relatively easy using the Scense setup wizard. After installing we use Easy Delivery to add applications to the Scense system. In our BYOD scenario we would like to use applications that aren’t easily copied. For this we use Microsoft App-V or Symantec SWV as the application virtualization solutions because they will remain invisible to the user and therefore are harder to copy. For App-V we can choose a streaming server, but that would mean that we have to open up the streaming server to the internet as well. To avoid having to open up the streaming server to the internet we chose the stream-from-file variant.
In order to make the Scense back-end available over the internet we need to create NAT rules in our firewall, so the Scense engine web service can be reached over port 80. It is possible to set the Scense engine to another port than 80, but that will require some manual configuration of both the web service and the Scense client software. A best practice might also include moving the Scense server to the DMZ or creating a second Scense server in the DMZ.
To make software distribution over the internet possible, the ‘InstallScripts’ location should be shared through one of the supported protocols; HTTP, FTP or WebDAV. We just create a virtual directory on our Scense server and let the InstallScripts location be shared through HTTP, but it’s also possible to setup such a location on a remote server, e.g. at the hosting provider, and share it. In that scenario the entire InstallScripts, or just some applications, should be replicated to the remote server. The InstallScripts location can be secured using a user-id and a password.
In Scense Explorer the InstallScripts location and its accessibility can be configured in the System Settings. This is also where the user-id and password will be specified. The Scense client software will use these credentials without ever exposing them to the end-user.
The Scense client needs to be configured to use the Scense back-end over the internet. This includes the correct URL to be entered during the Scense client installation. Besides the Scense client software we will need to install the appropriate software virtualization software, the App-V client or the SWV agent. The App-V client needs to either be configured for use with the streaming server or for streaming from file. An SWV agent doesn’t need any configuration. On the workstation, probably a laptop, a local user account should be configured to have local administrative privileges. This account should be able to load applications.
After everything has been put in place it’s time to launch the Scense Client for the first time. Scense client will pop up a login dialog requesting you to enter the domain credentials. Even though we’re logging on to a non-domain computer we will have to somehow identify ourselves to a security authority, being the active directory of the domain in which the Scense server resides. The user-id used to logon to the Scense client is also used to check the group membership of the domain user. This means that the administrator can also use group membership to assign applications to users in a BYOD scenario.
After being authenticated the Scense client will start executing the logon script and shortcuts will be generated for the applications assigned to this user. Clicking an application shortcut will start the application installation process. For App-V applications this means that the application is downloaded from the web server and then loaded into the App-V client. Scense will then start the application inside the App-V bubble. SWV application packages are downloaded from the web site and then imported and activated by Scense after which the application will be started.
How about the administrator?
In a BYOD scenario the administrator is not expected (nor allowed) to take over the user’s workstation. The administrator merely facilitates the delivery of software and should not do anything else on this computer. However, the applications remain controlled by the administrator and the administrator remains the right to reconfigure or revoke the applications. So even on a BYOD computer the administrator stays in control of ‘his’ applications.