Citrix aims to overhaul laptop management with XenClient

Ian Pratt claimed that XenClient can lock down the corporate desktop while keeping users happy

Citrix unveiled more details about its client-side virtualisation platform for laptops at its recent iForum event in Edinburgh, and disclosed that a technical preview of the software will be available in the second half of 2009.

Now known officially as XenClient, the platform uses a bare metal hypervisor to partition a laptop into two or more virtual machines, enabling a mobile worker to have a personal environment alongside a corporate environment controlled by the IT department.

If Citrix can deliver on its claims, XenClient should prove very attractive to large organisations, as it promises to solve administrator headaches concerning laptop manageability and security, and potentially eliminate the need to maintain separate system images for desktops and laptops.

Ian Pratt, vice president of advanced virtualisation products at Citrix, and founder of XenSource, said that over two years of work had gone into preparing the Xen hypervisor to run on client systems.

"Client virtualisation is very different from that on a server, and the benefits are different. On a server, it's all about consolidation and making the most efficient use of resources. With clients, the main benefits are security and management," he said.

All current client virtualisation products on the market operate with a Type II hypervisor, according to Pratt. This means that they run on top of a host operating system, as compared to a Type I hypervisor that runs on the bare metal below the level of any operating system.

XenClient is a bare metal hypervisor, meaning that it has control of the hardware, which is a key consideration for secure operation, he said.

"If your virtual client is running inside another operating system, and that operating system gets infected with malware, it can simply read any information from your virtual client right out of the host's memory without you even knowing anything about it," Pratt said.

As well as making use of the Trusted Execution Technology in newer Intel processors to ensure that Xen has not been compromised, XenClient makes use of hardware support for virtualisation to keep performance as close as possible to the user's expectations if their virtual environments were running natively. This means that 3D graphics and multimedia should work just like on a standard laptop.

The hypervisor is a thin layer, just a few megabytes in size, and can be built into the firmware or installed to the hard drive in existing laptops, according to Pratt.

But another key feature of XenClient could make or break the technology as a must-have for large organisations.

The platform will feature a bi-directional synchronisation mechanism between the laptop and the datacentre, so that updates and patches can be pushed out to users, while user documents and other data get sent in the reverse direction to create a backup.

"Firms are still struggling to manage laptops, because users are not always connected," said Pratt. This means that vital patches might not reach mobile users, while data could be lost if the laptop is misplaced or damaged while on the road.

Citrix envisions that XenClient will be able to link back to base whenever the laptop has an internet connection, using an efficient synchronisation protocol to use as little bandwidth as possible.

XenClient also fits into Citrix's vision of the increasing consumerisation of IT, because it should give workers more freedom over the client system they can use.

"If you look into the future, a user might be able to turn up with their own laptop and, if it has the hypervisor already installed by the vendor, the IT department can just deploy a standard corporate image onto it," said Pratt.

For example, while a technical preview is coming later this year for PCs, Citrix also said it is working at getting XenClient onto Apple's MacBook line.

"This will enable Mac users to get access to corporate applications, which we see as a growing market," said Pratt.

During his keynote speech at the iForum, Pratt demonstrated XenClient running on a laptop partitioned into separate 'work' and 'home' environments that allowed him to instantly switch from one to the other.

However, XenClient can also publish applications from the corporate environment so the user can access them securely while using their home environment. The application, such as Outlook, appears with a green border signifying that it is running in a separate virtual machine.

Pratt claimed that the hypervisor ensures that keystrokes directed to the application cannot be intercepted by any software running in the home environment, and that capturing the screen would show the corporate application's window as a black space.

Pratt concluded that XenClient represents a great opportunity to improve the security of the enterprise desktop on mobile clients.

"You can attach policies to the corporate image to make sure it is encrypted, and IT can issue a 'kill pill' to wipe it if the laptop is lost. You can do a better job of locking down the corporate environment while still keeping users happy," he said.