A technical review of Citrix Managed Desktops

Citrix just announced the release of its newest cloud service—Citrix Managed Desktops (CMD). At first glance, this service appears to be very similar to the existing Citrix Virtual Apps and Desktops (CVAD) Service, but instead is focused as a Desktops as a Service (DaaS) offering. As we deep dive, you’ll see that this new service has a number of technical differences, which will differentiate the target audience as well. As Jack recently wrote, CMD will go GA on August 26.

Citrix Managed Desktops technical review

Let’s first discuss the similarities between CMD and CVAD. Both services allow administrators to connect to Azure Active Directory (AAD) or Active Directory to allow user accounts to securely access resources via a customer-provided Citrix Gateway or the included Gateway Service. From the user perspective, logging into CMD and the presentation of virtualized applications and desktops appear to be exactly the same. CMD, like CVAD, provides the administrator with the ability to create a custom URL with the cloud.com suffix, present identical Citrix Workspace functionality, and enable minor site customizations. But the backend system and processes, as well as the options available to the administrators, are the key differences.

By default, Citrix resources presented to users are based on non-domain joined Windows servers or workstations, including multi-user Windows 10. Multi-user Win10 is a new Microsoft entitlement and works much like the server-based RDSH we’ve known for many years, except that it’s based on a workstation operating system. One key advantage may be that applications that function on workstation operating systems, whether due to real or perceived vendor requirements, can be virtualized for users.

Wait! Did that previous paragraph really say non-domain joined servers and workstations? Yes, non-domain joined Virtual Delivery Agents (VDAs) usher in a welcomed new stream of features and functionality. Previously, user accounts and Citrix resources had to reside in the same domain for security reasons. Or, it was possible to authenticate users via SAML from another domain as configured on an on-premises Citrix Gateway and then use Federated Authentication Service (FAS) to enable a shadow account to complete the session initiation chain. But, the creation and maintenance of shadow accounts, as well as the need for a Microsoft Certificate Authority (CA) server(s) adds complexity to this solution, and thus adoption has been low.

Non-domain VDAs enable the shadow accounts to be created on the fly at login, eliminating the need for FAS, Microsoft CA server(s), and all the headaches that are associated with creating and maintaining the shadow accounts. However, this comes at the expense of some administrative ease and functionality.

Non-domain joined VDAs require that administrators configure Citrix policies on individual server or workstation VDAs, rather than centrally. Where the environment is small, this is likely a reasonable tradeoff; however, medium-sized customers will find this cumbersome and unreasonable.

In addition, the feature set of CMD is basic and doesn’t include some features such as App Layering, Workspace Environment Management (WEM), Session Recording, and Provisioning Services (PVS). If these robust features are required, the CVAD service would be the better option.

So far as to the actual setup of Citrix Managed Desktops, I found it to be generally straightforward; but, keep in mind that I’ve been working with Citrix technologies for 20 years. Although it’s not quite a wizard, a number of screens are presented that guide the administrator through the setup process. A newbie probably would have some difficulties, so it’s quite likely that a partner or consultant would be engaged.

An option for proofs of concept is to use the Citrix Azure AD and send invitations for user accounts that are based on email addresses not tied to a corporate domain. This is fine for learning, but realistically, connecting to either Azure AD or AD Directory Services, as well as backend database and other servers, would more closely represent a corporate PoC.

A key difference between CVAD service and CMD is that Citrix maintains the VDAs as part of the subscription as part of Citrix Managed Desktops. That means that you do not pay Citrix for the infrastructure piece and then either maintain your VDAs on-premises or pay Microsoft (or another cloud provider) for VDA utilization; CMD is all-encompassing when it comes to the bill. While you can customize the VDA based on your resource requirements and the applications you choose to make available to users, updates to the VDAs, including Windows updates and VDA versions, are your ongoing responsibility.

Best fit for Citrix Managed Desktops

CMD is a DaaS offering at heart and fits in best for 1:1 virtual desktops. CMD will likely resonate with small businesses with basic virtual desktop requirements or perhaps entities of medium/large organizations that have a business need to support a small-scale or fringe requirement. When comparing the CVAD service to CMD, CMD puts a pretty bow on Citrix Cloud packaging for small-scale DaaS requirements.