What is Managed Desktop?
What will Managed Desktop give me?
What are the differences between MD Office and MD Lab?
What are the differences between a staff user and a student user?
Who decides what software is installed for Managed Desktop?
What software is available in the Managed Desktop?
How do staff get elevated rights on their workstation if required?
Why is the University using Privilege Guard?
How do some applications, such as Internet Explorer, allow users to keep their personal settings and favorites and use them on any Managed Desktop machine?
How does Managed Desktop install software to secure Workstations?
Is the Sophos Anti-Virus Checker in the Default Managed Desktop Image?
Where is Student Homespace stored and how it is accessed?
What is stored in the student Homespace directory?
What happens if the connection to Homespace fails on Login?
What can cause the connection to Homespace to fail on Login?
Why when the connection to Homespace fails does Managed Desktop create an F: drive mapping to a directory on C:?
Are there any plans for a Windows 10 Managed Desktop?
Managed Desktop is the name given to the University’s computer desktop that is provided by Student and Learning Services.
It is used in all of the SLS open access labs, the Learning Centres and by staff and students in faculties and departments within the University.
The current desktop is based upon a Microsoft Active Directory and Microsoft’s Windows 7 Enterprise operating system and the current Managed Desktop is known as MD7.
The year the desktop is produced is used as the version of the Managed Desktop, for example MD2015 is the desktop for 2015/16.
There have been previous versions of the Managed Desktop that have been produced since 1998 and have used Windows NT, Windows 2000 and Windows XP.
The earlier versions were known as ‘Zenith’, and this is how some users still refer to the desktop, but the name was altered to ‘Managed Desktop’ in 2004.
There are two flavours of the Managed Desktop, which are Managed Desktop Office and Managed Desktop Lab.
The desktop can also be used on laptops and tablet pc’s, and there is a VMWare version available for anyone using VMWare Workstation. There are also some VDI workstations using Managed Desktop.
What will Managed Desktop give me?
Managed Desktop provides a consistent desktop for all users, allowing users to login into any Managed Desktop machine and receive a standard desktop with a standard interface, consistent software configuration, drive mappings, access to Homespace and menus.
This allows users to move between machines whilst keeping personal settings, such as Internet Explorer Favorites and user files.
Managed Desktop conforms to the Sheffield Hallam University IT Regulations and strictly enforces the JANET Agreement that gives us access to the Internet.
This agreement states that no generic user codes can login and gain access to the internet. All access to the internet must be from unique user codes that the user can be identified from.
What are the differences between MD Office and MD Lab?
There’s not much difference between Managed Desktop Office and Managed Desktop Lab.
Managed Desktop Office is the version of Managed Desktop that is generally used by staff within their offices whilst Managed Desktop Lab is used within the student laboratories.
Lab workstations are configured for use by students, so assuming that each login is by a different user.
Office workstations are configured on the assumption that the user regularly uses the same workstation, so for this reason on Office workstations the user profiles are not deleted and other settings are retained.
Another major difference between Managed Desktop Office and Managed Desktop Lab is that Managed Desktop Office machines usually have a data partition (d: drive) so that users can store personal files on their own machine.
Staff and student users can login into either version of Managed Desktop without any problems.
What are the differences between a staff user and a student user?
All user codes are now stored within the AD and authenticate within the Active Directory.
There are number of differences between a staff user and a student user.
Staff user profiles have the ability to be non-volatile, so remain on an Office machine after the user has logged out. This allows staff users to alter the default settings for the workstation and applications.
If required, staff users can have elevated rights on their workstation so that the staff user can install software on that machine if necessary.
Student profiles are volatile, so are removed from the workstation whenever a lab machine is re-started and the profile has not be used for 8 days. This is to allow a student to use the same workstation each week for lecturers and to have a faster login then if no profile exists. At no time can a student user have elevated rights on any workstation.
All users have their Homespace stored on Windows file store and shared drives in order to easily share information. In the past staff and students had their Homespace stored on different file storage systems.
Who decides what software is installed for Managed Desktop?
SLS, Faculties and Departments decide the software that is present within the image.
Currently Managed Desktop image consists of Windows 7 Enterprise, Microsoft Office 2010 and various other packages.
There are many more packages installed to use with Managed Desktop, but most of these are teaching packages and so are only upgraded if we receive a request to do so from a lecturer, and even then any major changes to packages will only occur during the summer, when the latest version of Managed Desktop is released.
We do add new packages and updates as requested throughout the year, and distribute updates to software to patch exploited security vulnerabilities.
What software is available in the Managed Desktop?
There are over 600 applications available in the Managed Desktop, and are available via three main methods, which are installation in the master image that is installed on every workstation, software that is available on every workstation but runs from a network location so is only available when connected to the network and finally, software that is delivered to workstations from a central distribution service to be installed locally on workstations where it is required.
IS&T have produced an updated software list that currently lists the availability of software for the University’s Managed Desktop within the student IT laboratories.
The list will display a list of currently available software and where it is deployed within the University, as well as a list of software deployed to each room.
How do staff get elevated rights on their workstation if required?
For previous versions of Managed Desktop, if users required elevated rights then they would have local administrator rights to the workstation.
For the MD7 desktop, rather than users permanently using their workstation with elevated rights so increasing the risk of trojans etc. running, the University is using an application called Privilege Guard that will grant elevated rights as required, such as to install software, whilst running with standard rights for most of the time.
We currently have a number of configurations for the rights granted by Privilege Guard depending on the user requirements.
Why is the University using Privilege Guard?
There are a number of reasons for the implementation of Privilege Guard within the University.
Users running with permanent local administrator rights is a significant security risk.
By operating a least privilege environment users are prevented from directly or indirectly compromising security. The elimination of admin rights is one of the most effective measures an organisation can take to improving security across their I.T. estate. Operating with a ‘Standard User’ account will mitigate circa 90% of all malware attacks on a Microsoft desktop as most malware exploits local administration rights to gain access to a system.
For example the ‘out of band‘ critical security update for Internet Explorer released in September 2012 which states:
An attacker who successfully exploited any of these vulnerabilities could gain the same user rights as the current user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
By only using elevated privileges when required significantly reduces the risk to the user, workstation and the University, as well as reducing support calls and so having lower support costs.
Why should applications be launched via the menu shortcuts instead of running the executable file or from the Start, Run command?
In most cases, the menu shortcuts launch the application’s executable via a script. The script is used to setup the application before the executable is run so that it is delivered in a consistent format every time. This may include installing required files, adding or altering registry entries or INI files. Some applications also need to map drives before the application can launch correctly.
If applications aren’t launched via the Menu then it can not be assured that the application will work in the required manner every time.
How do some applications, such as Internet Explorer, allow users to keep their personal settings and favorites and use them on any Managed Desktop machine?
Certain applications have been configured so that user setting files are stored on the user’s home space, within the F:\MD, F:\MyWork and F:\Zenith directory.
When applications were installed they were configured to use files from this directory, and by using scripts and registry alterations it allows us to check that all of the files necessary to successfully run the application are present. If they’re not present or are out of date, then the scripts will copy the files to this location. If the files are present then the application will launch and use the files already present.
The F:\Zenith directory that is used for some settings is a legacy directory that was used for previous versions of the Managed Desktop, and contains the settings for users of the previous desktops.
The University now uses an feature from Microsoft called UE-V that transfers personal settings for Microsoft and other vendor applications each session. Not all software is currently configured to use this application but we are extending the use of this application. The settings are stored in the F:\SettingsPackages folder.
How does Managed Desktop install software to secure Workstations?
The Windows 7 Operating System is protected by NTFS security rights, so that most users do not have the ability to add, amend or delete files from most areas from the C: drive. The user also does not have enough rights to add, amend or delete entries from within the Workstation’s registry.
The Managed Desktop has some software installed and configured within image that is distributed by IS&T, but specialist applications and applications used for teaching in certain locations are installed by a central service that will remotely install applications on the required workstations.
Most software installation requires files to be added and registry entries created for the software to work correctly. Even software that is installed to the Servers instead of the local hard-disk will probably still require registry entries and certain dll’s to be present for the software to work correctly.
Is the Sophos Anti-Virus Checker in the Default Managed Desktop Image?
Sophos is installed within the Managed Desktop image that is distributed by SLS.
The software is installed as part of the sysprep process and connects to a server within SHU to receive regular updates.
Sophos supports Apple Macs and SHU laptops and portables can receive updates from the SHU Sophos service when they are not connected to the SHU network.
The MDIG group is the Managed Desktop Implementation Group, which is made up of members from the SLS Networks & Infrastructure, IT Support and Help, Support and Guidance teams.
This is the group that creates the Managed Desktop image and is responsible for the installation of University-wide applications. Any problems with Managed Desktop are discussed here and solutions sought. Suggestions for the improvement and development of Managed Desktop are discussed within this group.
The MDIG group isn’t responsible for deciding on the applications that are actually used within Managed Desktop, or for the look and feel of the desktop. The suggestions for these come from elsewhere, but MDIG is the group that tries to implement the recommendations.
There is an Email list for all MDIG members at MDIG@SHU.AC.UK
Where is Student Homespace stored and how it is accessed?
Student Homespace is stored on a large Windows file store cluster that supports the SMB2 (LanManager) protocol which is provided as standard on PCs running Windows.
If the connection is successful then the user’s Homespace will be shown within Windows Explorer as drive F:.
What is stored in the student Homespace directory?
Student Homespace is used to store user files and settings, so allowing users to move to any Managed Desktop machine within Sheffield Hallam University and retrieve previously saved files.
Most software within Managed Desktop has been configured so that the default file location for opening and saving student files is F:\MyWork.
There are certain directories that are used to hold user configuration files so that software will run with settings and files that the user previously configured. These directories are held in subfolders under the F:\MD and F:\Zenith directory.
Such software includes Firefox and Internet Explorer, which allows users to create their own personal settings, bookmarks and IE favorites and then use them on any Managed Desktop machine.
For a new user, there should be three sub-directories created in the F:\ directory, these being:
- F:\Download
- F:\MyWork
- F:\MD
- F:\Zenith
The F:\Download directory is used as the default directory to store files that are ‘downloaded’ by applications, such as Winzip, FTP, Chrome and Internet Explorer.
If users are short of space in the Homespace directory then this directory should be checked to see if there are any files that should be deleted.
The F:\MyWork directory is used as the default directory for user files storage by most applications, such as Microsoft Office.
Some of the larger applications that are used with Sheffield Hallam University, such as Oracle, create subdirectories under F:\MyWork as they need to save and use many different files, but that all relate to that particular application. The directory structure of these applications is usually determined by the specialist responsible for that application, although some software, such as Exceed, insists on creating sub-folders as part of the installation process.
The F:\MD and F:\Zenith directories are used to hold user-specific application configuration files, with the applications creating subfolders within this directory.
This directory is not really intended to be used for data files, and files shouldn’t be deleted from this directory by users.
These directories are the same within both staff and student users Homespace directories.
There were designed for use by staff with the creation of Zenith 1 in 1998, whilst students were using Site98 at a time when students didn’t have any network space, so worked from floppy disks. When the two desktops were joined together with the implementation of Zenith 2 the student system shared many applications with staff, which had already been installed and configured to use certain directories on F:\, so it was necessary that students received the same directory structure for their Homespace in order to allow the applications to function correctly.
By using shared applications it allows all users to use one install, so is the same for all users and allows staff to use lab machines seamlessly.
Within the root of F:\ there will be a few UNIX system files.
What happens if the connection to Homespace fails on Login?
During the login process, the systems attempts to establish a connection to the user’s Homespace directory on the server.
If the connection to the server does fail on login then the user is given a warning message informing them of this.
A folder is created in C:\Data called ‘C:\Data\username‘ that will be used for the user’s data whilst F: is not available.
What can cause the connection to Homespace to fail on Login?
There are a number of issues that cause the connection to Homespace to fail during the student login process.
These include:
- User doesn’t have a directory on Homespace
- Homespace not being available
- Network problems
The connection to the user’s Homespace directory is performed during the login process by the Active Directory by using a property set within the user’s AD object.
It is possible that Homespace could be temporarily unavailable due to a server or network failure. This should not occur too often and will affect all users. Obviously SLS will attempt to rectify such a situation immediately.
Why when the connection to Homespace fails does Managed Desktop create an F: drive mapping to a directory on C:?
If the connection to Homespace should fail for any reason then the Managed Desktop system still needs to use certain directories in order for the software to function correctly.
This due to the fact that all the software configuration files and registry settings will still point to F: as the location for the necessary files, so a c:\data\USERNAME directory is created on the workstation’s local disk. This directory is then subst’d (a drive mapping is created to a directory on a local drive) as drive F: so that all the software that expects to uses directories and files on drive F: can continue to do so, the only difference is that F: resides on the local disk rather than on Homespace.
This is not a nice solution and it can be confusing to try and explain why this needs to happen, but without it a lot of software would fail to work.
Are there any plans for a Windows 10 Managed Desktop?
We are currently developing a Windows 10 Managed Desktop that is being used on Surface Pro 4s for teaching and a few staff workstations.
This is in the early development phase and is being built using the Agile Methodology which uses Sprints to release frequent updates so a new update is released each month with additional software and settings becoming available.
Previous Managed Desktops took a long time to develop, test and release as all the software had to be packaged and tested and corporate applications had to be updated to work with the new operating system before it was released.
By releasing small monthly updates the desktop is available earlier than previously, but users can only have it when it meets their requirements regarding available software and functionality.
There is information for staff regarding the Windows 10 Managed Desktop on the staff intranet, including information about each Sprint and the available software.
Information for staff regarding the Windows 10 Managed Desktop
Application Jukebox is a software virtualisation technology from Numecent that allows applications to be packaged and distributed to workstations without it being physically installed on the workstation.
This has many advantages for the University, including having software more widely available, improving workstation performance, updating applications will be easier and quicker, allow staff to test new versions alongside existing software and it work across platforms such as Windows 7, Windows 10 and the Staff Remote Desktop.
Applications are launched via a web browser and will work off campus so allowing MD laptops to install new and updated software.
SHU has purchased a site license and will be using this technology to deliver software for 2016/17 and is currently using this to deliver software to the Windows 10 Managed Desktop.
Some Windows 7 workstations have the client installed and it is currently being used to teach SAS 9.4 within the University for 2015/16.