Intel® vPro™ Technology

Enabling Dynamic Virtual Client Computing with Intel® vPro™ Technology

Dynamic Virtual Client Computing

Client virtualization-based technologies have the potential to significantly reduce the need to make costly or ineffective business compromises. Several emerging solutions that take advantage of client virtualization allow the diverse needs of IT organizations, business units, and end-users to be met, simultaneously. These solutions support five key attributes of today's computing world: central management, protected data, on-demand delivery, local compute and graphics, and support for mobility. We call this family of solutions Dynamic Virtual Client computing.

DVC technologies and solutions include application virtualization, OS and application streaming, and an emerging class of solutions based on virtual container models. Centralized management and on-demand delivery go hand in hand by allowing IT to manage applications or OS images centrally, while remotely delivering the user required base image and any sequenced updates as needed by the user.

Data protection is delivered through multiple techniques including central storage and backup, roaming profiles, and client-side data encryption. Local computation and graphics allow users and IT personnel to take advantage of a client-computing capability for a rich and responsive user experience while minimizing data center build out.

The final critical attribute of DVC computing is the support for pervasive mobility, as business units and end users require increased flexibility for travel, day extending, and business continuity. DVC solutions have many advantages over traditional client computing models. With advanced client hardware capabilities, IT can improve the security, management, and delivery of DVC solutions. Some of these capabilities and their applicability to DVC are discussed in the next section.

Traditional Requirements and Emerging Solutions for DVC
Regardless of the DVC model used, management of the physical PC is critical. Being able to inventory both hardware and software regardless of system power or health state is critical for IT groups.

In situations where the PC is unable to boot due to software, BIOS, or hardware issues, remote troubleshooting capabilities such as IDE-R and SOL are extremely valuable, in traditional and DVC compute models. Remote troubleshooting enables IT to run diagnostics and, in many cases, repair systems without having to make a desk-side visit.

Another critical requirement of IT groups is to be able to remotely power on and off PCs. This allows IT personnel to apply updates to applications during off hours thereby minimizing the impact on the user and saving energy by not having to power client systems overnight. Remote power control also reduces peak loads on streaming servers when applying updates to broadly-deployed applications.

Also critical to IT groups is ensuring that the overall PC management solution has the appropriate levels of security in setup, provisioning, and ongoing communication. At the same time, PC management must be well integrated into existing enterprise systems for administration, device, network, and account management. Providing support for device authentication protocols, such as those supported by Cisco* Self-Defending Network (SDN), Microsoft* Network Access Protection (NAP), or 802.1x [11], is good example of such a management solution. Support for device authentication protocols enables client network access for management and troubleshooting functions, even when the host OS is powered down or not functioning.

The client hardware capabilities discussed so far have broad applicability across traditional and DVC models. We move on to discuss a few capabilities that are specific to DVC, or that are unique in the way that they can be applied as part of a DVC solution.

For OS streaming, a critical point in the process is kicking off the OS stream at the initial stages right after the PC power button is pushed. First, the diskless PC needs to have network access. In cases where end-point authentication technologies are implemented (for example, 802.11x) firmware and hardware support to access the network is required. The next challenge is to initiate the boot process securely by executing a small bootloader or bootstrap (<100KB) on the device. Most of the OS streaming solutions utilize PXE (Pre-boot eXecution Environment) to get this bootloader to the client. The challenge this can pose to IT systems is that IT personnel may already be using PXE for another application and they may therefore not allow the use of PXE, because it is a broadcast protocol. Alternatively, IT personnel might not support DHCP on their network, and PXE requires DHCP. An alternative to PXE is to use IDE-R as the mechanism to launch the bootloader. IDE-R service can be triggered by the client by using Intel AMT alerts that are sent during system power cycles.

Another area where hardware capabilities are directly applicable to DVC is virtual containers in which Intel technologies such as Intel® Virtualization Technology (Intel® VT) for IA-32, Intel® 64 and Intel® Architecture (Intel VT-x), Intel® Virtualization Technology for Directed I/O (Intel® VT-d), and Intel® Trusted Execution Technology (Intel® TXT) are utilized. These technologies enable device pass-through, DMA remapping, memory protection, and secure launch to ensure the virtualization layers are not tampered with or modified.

The same mechanisms that allow IT organizations to inventory software from the client can be used to control and modify Access Control lists (ACL) for virtualized applications and for notifying host-based agents that urgent updates to policies/applications are required. Virtualized application solutions often have client-based agents that can add, renew, or remove access to a virtualized application on the client. The ability to write and read from nonvolatile memory on a client, regardless of system state, enables some unique approaches to managing these application ACLs. The nonvolatile memory, also known as third-party data store (3PDS), can be used by both the host-based virtualized application agent and the application console to store application ACLs. This capability enables a console to add, renew, or remove access to an application regardless of system state. Even if the system is turned off, the console can remove or renew access to an application, and once the system is powered on, the host-based (virtualized) agent checks 3PDS and immediately applies the changes. A common example is removing the application from the client. Alternatively, consoles can post flags to 3PDS to notify their agent that a critical update or policy change needs to be applied. This flag is then recognized by the host-based agent and the policy or update is immediately applied when the system wakes. These approaches can save even more power by not requiring the administrator to wake the system to apply the update, but yet ensuring when the system does wake, the ACL, policy change, or the update will be acted upon.

As discussed, DVCs provide a win-win solution for IT organizations, business units, and end-users needs by providing central management, local execution, and support for mobility. The advanced hardware features in Intel® vPro™ technology are important for both existing and DVC models to ensure cost-effective and secure PC management. In addition, several Intel vPro technology capabilities add value in the areas of performance, management, and security—specifically for the DVC technologies of OS streaming, application virtualization and streaming, and virtual containers.

Back to Top