We need to talk about SASE

I don’t know about you, but this whole SASE and SD-WAN thing has got me pretty confused. What is it? What does it do? Don’t we do this already? And what’s it got to do with End User Computing?

It seems like everyone has got an SD-WAN story and a SASE story, but either there’s an issue with marketing or I’m not listening hard enough to actually work out what the benefit is to the enterprise.

What is SASE, and why should I care?

Well, first off, I read Brian Madden/s great blog post here: This a great summary but just to break it down further:

Enterprises have been moving a lot of their core infrastructure to the cloud over the past 5 years or so. Leading the charge has been VDI, rapidly transforming EUC into a cloud delivered service. So, now all of an organisations ‘stuff’ is in the cloud, what then? Well, the interesting thing is that even though an end user (who may be working anywhere in the world now btw – thanks covid), is accessing a cloud service, they have still needed to access that cloud service via the same Datacentre that all the core services have been migrated out of. 

The network seems to have been the last anchor into the Datacentre for a lot of organisations. And think about that network. For most organisations, the network is the focal point for all Security services, such as firewalls, intrusion protection and detection systems, web proxies etc. Migrating all of that is very difficult, and that’s before you even think about making any of the capabilities geographically distributed. 

Well luckily for you dear reader, SASE is coming to the rescue. Imagine if you had unlimited time and budget to build a truly globally distributed secure network from scratch. You’d probably build yourself a private SASE solution. So, let’s define SASE now: 

Secure Access Service Edge is a service that allows an organisation to distribute its network and security across the world without actually having to build it or own any of it.  

Once using this service, a user has simple, transparent access to their cloud services from anywhere in the world. From a network and security perspective, that user is connecting into their local SASE Point of Presence (POP), with all of their network access then routed though the SASE service into their requested cloud service. For instance, if a user is accessing a DaaS service on Azure, they simply launch their client and are then routed to the DaaS service in the most efficient way possible though the provider’s network. In the world of WFA, this is an essential service.

Let’s bolt on some security goodness

It goes deeper than that though. A SASE solution should also be extensible, allowing additional features to be added as required. One of those features could be, wait for it, a CASB service. It seems like we’re now in the era of four letter acronyms. CASB stands for Cloud Access Security Broker. This particular feature allows a SASE solution to actually start to control access to services in the organisation AND across the SaaS services. This, EUC fans, is where the integration with the broader, and generally awesomer EUC field is. 

For a long time, the Digital Workspace has been focused on making it easy to consume apps, especially SaaS apps. Securing that access has been a bit trickier though, as the demarcation of the security boundary hasn’t been well defined. Identity aggregation tools such as VMware Access or Okta go a long way towards controlling access based on identity, but SASE and CAB go a step further. In fact, CASB as part of SASE can stop a user accessing a SaaS service in the first place, and even limit which individual services within a SaaS app that a user can access.

What about SD-WAN? Well, it’s pretty much the whole SASE story, just instead of  one to one user mapping, it uses a physical device, like the VPN endpoints of old.

There you go. That’s the SASE story. It should be pretty evident why everyone is shouting about it now, and why it ties in so closely to the whole EUC story.

What is VMware’s take on Digital Employee Experience Management?

We all know that VMware has a comprehensive portfolio of solutions for End User Computing. One of the hottest topics right now is Digital Employee Experience Management, variously called DEX or DEEM.

VMware hasn’t really communicated much about DEEM, so I sat down with Spencer Pitts to get his view on the capabilities in WSONE and what this means for the VMware.


Microsoft has just defined the ‘Personal Workspace’


Windows 11 and Microsoft365 is Digital Workspace+. A Digital Workspace is an aggregation of multiple tools and services into a single pane. MS have just accomplished this with a prettier OS and VDI for everyone.

A journey of realisation

A couple of months ago, I wrote a blog post stating that VDI does not equal a digital workspace. I stand by that, as it was correct when I wrote it.  Since then however, Microsoft has made some pretty fundamental announcements, and I think these change the equation.

Here’s why I’ve changed my mind:

A Digital Workspace can be described very easily: It’s a single point of aggregation of all a user’s IT services, bound together with a single identity. Whether that user needs a SaaS app, a workflow or a full VDI session, it should all be there with no additional authentication overhead for the user. It may include Unified Endpoint Management (UEM), a VDI solution or powerful analytics, but while they are nice to have (and critically important for most enterprises), they are simply additional parts of a Digital Workspace.

What Microsoft has done over the past month or so is to leverage two key solutions to redefine a new type of workspace – the Personal Workspace.

Think about the Personal Workspace at Digital Workspace+. It offers the same capabilities as a traditional Digital Workspace, but also allows more flexibility and personalisation. Let’s explore why and how.

Windows 11

Windows has never been about making it ‘easy’. Too much focus has been put on emphasising the Windows platform itself, with lots of ‘Hey look at this!’ mechanics going on. While Windows was such a key part of Microsoft, that sort of made sense. But now Microsoft is all about Azure, it can afford to remake Windows into something a bit different, to shrink its role while at the same time making it much more relevant for the world we all now live in.

The Windows user journey has always sucked too. There were too many non-intuitive menus and icons. The interface formerly known as ‘Metro’ was an awful beast that stayed around at least 8 years too long. With most iterations of Windows, a lot of time was spent by users and admins trying to undo some of these mistakes. In my experience, a lot of users are still nostalgic for the look and feel of Windows 95!

Windows 11 has changed all that, mainly by removing a lot of the UI ‘bloat’ of Windows 10. Its focus on putting everything the user needs at their fingertips is a breath of fresh air. The icons are easier on the eye, human feedback is more present than ever, and everything is arranged far more neatly, whether that’s a web browser or a productivity app. From what I’ve seen so far, the number of clicks needed just to get something done has been reduced. Here we have, at last, a minimal just-enough interface that qualifies as a Digital Workspace.

It may seem like a small thing, but Windows 11 looks so much ‘cleaner’ than Windows 10. I’m not going to go into the fact that Windows 11 looks like a fatter version of ChromeOS here. The fact is that Microsoft has done what Microsoft does best: it’s seen something better in the market and emulated it.

Another key feature of a Digital Workspace is that it’s a cloud-based service which places few requirements on the end user. There’s been much merriment of the past couple of weeks in the EUC industry, as Microsoft’s Windows365 announcement looked like it was introducing VDI to the world for the first time even though there are probably 10s of millions of seats of Citrix, VMware and other VDI vendors’ products around, and there have been for at the past 15 years or so.

Windows365 does do something different though. It uses Microsoft’s huge heft to get VDI and the concept of Windows-in-the-cloud to the masses. It also promises to make it very simple to administer and use. The big argument (and one that I used before) was that Windows was simply a huge waste of resources when it comes to offering a Digital Workspace service to users. It’s always been complicated to use and is expensive to host. If MS are going to (eventually) offer Windows 11 on a managed cloud desktop for a fixed price, and if that price is competitive, then a lot of that argument is neutralised.

What about this idea of a ‘Personal Workspace’ then?

If Microsoft have truly created a simplified Windows desktop, that’s cloud based, cost effective and dedicated, then the possibilities are much more compelling than just a simple Digital Workspace. All enterprise applications will be available, whether SaaS or locally installed. The desktop will follow you around to multiple devices, irrespective of the OS, location or network. Any changes you make will persist. All the data you work on will be stored locally. Leveraging other MS technology like Windows Information Protection (still needs work, I know), then the Windows desktop could finally become Corporately Owned, Personally Enabled (COPE), like we see with IOS and Android devices.

Windows 11 and Windows365 will finally be the Windows the world has been waiting for, that pushes the envelope for the Digital Workspace. The only question left is which type of endpoints to consume it on. I have an idea on that front…


How to manage other people’s devices

Ever since BYO became a ‘thing’ back in around 2008, the subject of managing BYO devices has been a thorny one.

When it comes to corporately owned mobile devices, the answer is pretty simply: manage the thing. Put an agent on it, manage the device, the applications and the data. If you want to allow the end user to use it also as a personal device, fine, go down the Personally Owned, Corporately Enabled (COPE) route.

Now, there is a pretty traditional solution when it comes to BYO mobile devices too: MAM (Mobile Application Management). As it’s not a corporate device, putting a management agent on it is probably not a route you want to go down. Instead, manage the apps only and inject compliance and security configs directly into them.

Okay, great.

Desktops aren’t that simple. Windows especially, doesn’t have a particularly strict App Store model, meaning that applications, and therefore malware, from a range of sources can be installed with very little effort. So, how do you enable access into your prized, secure systems from an unmanaged, and let’s be clear here, dirty personally owned endpoint?

Remoting platforms such as Citrix Virtual Apps & Desktops and VMware Horizon have been the traditional solution here. Keeping your Windows desktops and apps locked away in your DC or in the cloud means that the workload is abstracted from the endpoint. Anything dodgy on the endpoint cannot (unless there’s some careless misconfig) get access to the Windows session running on the virtual session.

Sometimes however, especially in environments requiring a high level of compliance, or a secure environment that cannot take the risk of losing credentials and data via key loggers etc, there needs to be some management of the endpoint to ensure compliance with security standards and to mitigate risk.

In the past End Point Analysis (EPA) tools have been used to ensure this level of compliance. Think about it though. With EPA tools checking BYO devices, all you’re really doing is leveraging indirect control of a personally owned device by mandating that certain controls need to be in place before they can connect. Yes, you are not ‘touching’ the endpoint, but you are still trying to enforce policies.

What can you do in this situation?

Well guess what? I have a solution. What if you could have complete control and management of that BYO device, but only at the point that the owner / user wanted to connect to your services?

Introducing the IGEL UD Pocket!

The UD Pocket is a very simple solution. It’s a bootable USB-A / C key that you can pop into almost any x86 based device (including x86 Mac) and boot from. This then boots into IGEL OS, which is a secure, light OS built for SaaS and VDI. Once in, and leveraging centralised management, you can connect straight into corporate apps securely. Even better, the IGEL OS is read only, meaning that it is very difficult to compromise. Restart the machine or remove the stick, and the machine boots back into its default OS, whether that’s Windows or Mac.

Here’s a simply tagline: Want to enable your users to use any of their desktop / laptop devices for secure access to your services? Give them an IGEL UD Pocket for On-Demand Management.

Watch my video, I dare you:

What to expect from Windows 11

There are a lot of rumours coming out of Redmond right now. What we’re seeing is the convergence of lots of different strands of Microsoft’s future Windows strategy: Windows 11, 10X, Deschuttes (Cloud PC).

In the absence of facts, and my general impatience for all the announcements coming on the 24th, here are my thoughts about where Windows is headed in the immediate future:

The end of Windows 10

Unless there’s some pretty comprehensive disinformation campaign going in from MS, it seems pretty evident now that Microsoft is closing the book on Windows 10. That’s taken everyone by surprise, as back in 2015 Microsoft stated that Windows 10 would be the last version of Windows. We heard terms like ‘evergreen’ used to describe that fact that Windows 10 would become ‘Windows as a Service’, receiving content updates over its now infinite lifecycle.

From what we’ve seen, it looks like Microsoft will go back on that commitment with the release of Windows 11. But why damage some of that goodwill by releasing a new OS?

The Azure Equation

Well, it doesn’t take a genius to work out that Microsoft’s big strategy over the past 5 years has been to move as many workloads as possible to Azure. And the have been tremendously successful. Azure is catching up with AWS and now has around 20% market share compared to Amazon’s 32%. Nadella’s strategy of focusing on Office365 customers and gradually incentivising customers to make the move to Azure has paid hug dividends. In late 2019, MS took this one step further by introducing Windows Virtual Desktop (WVD). This was released at just the right moment to offer an easy onramp to VDI for businesses hit by the pandemic in March 2020.

Growth of WVD has been spectacular, and MS has invested a lot of resources, building in new features and capabilities on an almost weekly basis. The success of WVD has lead to whole ecosystem of vendors such as Citrix, VMware and Nerdio building their offerings and their future strategies on integration with this stack.

A curious development over the past week or so has been that Microsoft has changed the name of WVD to Azure Virtual Desktops, or AVD. To me, this links up with the next key development that I’m expecting to see on the 24th:


Microsoft have been dropping hints about another one of their key developments for over a year. This project, codenamed Deschuttes, or better known as Cloud PC, has been kept under wraps longer than most other Windows developments. From what I can tell, Cloud PC is a true Desktop-as-a-Service offering from Microsoft, allowing users to use their own device as a thin client to get access to their AVD session. There are also rumours that this will integrate with Microsoft Endpoint Manager to enable full endpoint management along with the cloud desktop. The renaming of WVD seems to support this. To me, this looks like Microsoft is starting to bring its EUC capabilities together into a genuine Digital Workspace, similar to VMware’s Workspace ONE. This also looks like it will be a flat per user price for existing Microsoft365 customers.

Windows 10X

Windows 10X was s strange beast. It was originally designed for Microsoft’s dual screen Surface Due, but the two screen approach was dropped early on. It was then redirected towards the single screen Surface Neo, before this idea was then dropped. Early this year, we began to see preview versions that suggested that 10X was going to become a thin operating system, replacing Windows 10 S and possibly taking the place that was once occupied by Windows RT (remember that?). This would make sense in a world heading towards SaaS and AVD. There were even suggestions that 10X could have been the thin endpoint OS designed for Cloud PC.

However, last month we got confirmation that 10x had been cancelled and that the UI capabilities were being ported to the next Windows release named ‘Sun Valley’, which many of us assumed would be Windows 10 21H2. Early screenshots of Windows 11 suggest that those UI changes are now in Windows 11. 

My thoughts

Here are my predictions, and these could be massively wrong and very far wide of the mark:

Windows 11 will no longer support Active Directory.

Windows 10 built on top of Windows 8.1’s CSPs and modern management framework. Many organisations are now enrolling their devices into Intune rather than AD. AD is an old technology, first seeing the light of day with Windows 2000. There is very little reason in 2021 to add a Windows device to AD. Indeed, the only reason we did it before now was because Group Policy was the only way to centrally manage Windows. We no longer need to do this.

Windows 11 will be a streamlined, modular OS

Windows 10 didn’t know what it wanted to be so it did everything. Expect Windows 11 to be more modular with the ability to install with a minimal number of services enabled.

Windows 11 will have deep integrations with Azure by default

Windows 10 was released before Microsoft had fully realised its Azure strategy.  We’ve already seen that there will be a lot of deep integration with Azure in Windows 11. Early screenshots have shown prompts for OneDrive during install among other intentions.

MSIX will become the default way to install native apps

Following on from Apple’s move with macOS in 2018, support for older app architectures, such as 32 bit apps, may be dropped. 

Windows 11 will require a level of hardware certification

Older versions of Windows have tried to be as hardware agnostic as possible. macOS and ChromeOS have much tighter integrations with their hardware.

The home version of Windows 11 will be a rebranded version of Windows10 X.

It will have more in common in with ChromeOS than Windows 10 and be built for SaaS, VDI and the Web.

Despite all of the above, Microsoft may surprise us on June 24th. Don’t worry though, I’ll be ready to provide my opinions on the 25th!

Just enough OS to perform

Yep, this seems like a strange title. I’ve actually taken it from the title of the band Stereophonic’s 3rd studio album ‘Just enough education to perform’. Give it a listen.

Back to the operating system. Did you know that there’s a concept in Operating System thinking called ‘Just Enough OS’, or JeOS? You can check this out in more detail here.

The key concept of JeOS is that in some applications or scenarios, you don’t need a full-blown traditional OS. You can get away with a very slim OS layer that just carries out the tasks required of the application.

Just enough for…?

The key question here is ‘Just enough OS for what?’. Well that depends on what the OS’s user is trying to do. Traditionally, with native, local applications, you need a lot of OS to ensure compatibility, including backwards compatibility with older application architectures.

The firm direction for applications though is for less native and more SaaS. Even more interestingly, these SaaS applications are increasingly being brokered by Digital Workspace solutions such as VMware Workspace ONE. It’s conceivable that in 5 years time, SaaS apps and Digital Workspaces will be the primary method of application delivery and consumption in most organisations.

In that case, how much OS is Just Enough? What do we actually need from the OS to enable access to the Digital Workspace?

Basics of an Operating System

Well, there are some basic capabilities. First, the OS needs to be able to interface with the available hardware. There needs to be IO Management, Drivers, Storage and Networking Management etc. Then, there needs to be integrations with various services, the User Interface (UI) and of course the ability to enable some local applications.

Once that stuff is in place, we should be good to go. Remember, that when we’re connecting to a true Digital Workspace, most of the compute and app requirements are being taken care of somewhere else. We’re just consuming the end result.

Let’s have a look at a traditional OS connecting to a Digital Workspace:

You can see here that in this case, the traditional OS (Windows) contains all of the key services we need in an OS. However, it also has a lot of ‘stuff’ that we probably wouldn’t need when connecting to a Digital Workspace. That’s because Windows has a lot of additional capabilities that were built for the era of local computing. These components aren’t useless, they just won’t matter for most users in a modern SaaS environment.

How many enterprise users will be using Xbox services? Does anyone actually use Cortana, like, ever?

What about an OS designed for SaaS?

Let’s have a look at an OS that’s been designed for the SaaS era:

See the difference? The same core capabilities are there, including interfacing with the underlying hardware and the ability to broker access to local apps should they be required. However, everything superfluous has been removed. Only what is necessary to connect to a Digital Workspace is in the OS.

There are obviously some key benefits to this, from reducing the attack surface from a security perspective to requiring fewer resources from the hardware layer to offer the same experience.

Windows is a great operating system, and the foundation for most modern organisations. As we get deeper into the SaaS era though, it’s time to reconsider how much OS you actually need at the edge.

A new way of understanding EUC for the 2020s

Remember back when End User Computing was just about which version of Windows you had installed on your PCs? That seems so long ago now. But even then we (the EUC industry, not the ‘Royal We’) complained that it was pretty tough.

Back then, if we were going to draw a diagram of EUC, we’d probably just draw a couple of PCs on a single slide and then stick our collection of PCLM tools around them. I still have a few slides like that somewhere…

How different it is now!

These days we talk about DEX, UEM, VDI, RDS, ICA, HDX, IAM and others. It’s a jungle of terms and topics. I’ve got a pretty good handle on the state of the EUC industry, the different players and trends, and what’s hot and what’s not. But then that’s my job. For a customer trying to work out the industry, it must be an absolute nightmare. The big analysts are out there offering some help. I, however, am a very visual person. I just want to see what the hot topics are, where the different vendors fit in, and which vendors complement each other.

Above is my system for doing this.

People in the industry I’ve shown this to have variously called it ‘The EUC Honeycomb’, or The Matrix.

One of the big benefits of this system is that I can demonstrate where different players across the EUC space can work together to provide a more comprehensive solution for customers and partners.

Here’s an example of a big Digital Workspace Vendor integrated with IGEL:

There is a key for the above, but very basically, the brighter the hue of the hexagon, the stronger the vendor plays in that space.

Now, a lot of this is based on my own opinion of a vendor’s capabilities reached through my own research and also speaking to employees of the vendors themselves.

I’m working on codifying my scoring system, and also providing my definitions for each of these areas. I’ve found so far though that it’s been very well received and simplifies conversations when it comes to the overall EUC ecosystem.

Give me a shout with any questions!

Surely IGEL OS is only useful on the LAN?

That’s what I thought too. When I had my initial chat with the team at IGEL, my though process was very much that IGEL wasn’t relevant due to the pandemic. That’s a Thin Client OS, right? Turns out I was wrong (very rarely happens).

In fact, IGEL had one of its best years ever when everyone was locked up at home.


IGEL started moving away from hardware several years ago, and is now firmly in the edge OS camp. And an edge OS is pretty rubbish if it can’t be deployed at, well, the edge.

One of the core components of the IGEL platform is the Universal Management Suite, or UMS. It provides all of the device registration, configuration and management tasks for the edge devices. In a LAN environment, devices running IGEL OS will just connect directly to the DNS name of the UMS server(s) or the load balancer. When a device is external however, that’s gets a lot more difficult, and you definitely don’t want to expose a management tool like UMS directly to the internet.

The IGEL platform includes a capability known as the IGEL Cloud Gateway, or ICG. It’s this little box of magic that allows devices outside of the corporate LAN to still be managed by UMS.

This is a great way of extending the secure OS or bubble of an enterprise anywhere the user is, rather than tying them to a location, or forcing them to use a VPN.

Here’s a quick video I put together to show what this looks like: