I recently stated as the sysadmin for an approx 100 user organization, primarily using Desktop clients and a mix of laptops to connect to a Citrix VDA environment both in the office and WFH (essentially overpriced thin clients). Desktop users will use the Citrix client from their own home setup in order to connect to the companies VDA environment and access resources, with IT having no visibility of those end points, raising some concerns.
We are wanting to decommission Citrix and move users to there fat clients as we begin to adopt a cloud first approach.
Remote access will become an issue as a result of the users personal home endpoints, and switching all users to laptops is not an option in the short term.
SASE solutions are also quite expensive for us, but not out of the question, although I’d like to find a cheaper option. Currently thinking of enforcing users home devices into an MDM like NinjaOne or ManageEngine, so we can enforce security settings, updates etc, and building conditional access policies for our cloud apps, with MFA enforced.
Just wanted to share with the community and see if anyone has done something similar, and perhaps have an alternative approach? I’m quite used to supporting laptop only environment, been a while since I’ve had to juggle desktops and users Home devices!
You want to ditch Citrix(understandable), which is what allows your users to connect from their personal devices to a secured virtual environment. But you don’t want to provide them secured managed devices so you can get rid of Citrix? So they’re going to connect to your network from personal devices which you can’t manage, which means they’re not secure?
Sounds like you’re wanting to manage a totally insecure environment with zero budget to secure it AND are expecting it to be secure…
You have to secure the environment somewhere… Currently it is secured in the DC because your VDA environment is secured and you aren’t securing the user endpoints. If you get rid of that VDA then you must secure your endpoints. I would never try to secure a personal device that is not fully managed. Some jurisdictions even have laws preventing this, even in the US. IIRC, California requires the company to compensate the employee if they use their personal devices for work.
For a secure way to manage and access your endpoints remotely, SureMDM is a great option! It enables you to enforce security settings, deploy updates, create conditional access policies, assign group policies, and remotely access devices to address any issues.
If you’re exploring MDM solutions for managing home devices, you might want to check out Scalefusion MDM. It supports multi-platform management and provides tools for enforcing security policies, updates, and remote access configurations. It could be worth testing to see if it aligns with your conditional access goals.
For mobile management, VSA X has a solid MDM option. Implement conditional access for your cloud apps and use a VPN like NordVPN for secure connections. Training users on security, especially phishing with tools like BullPhish ID, is also important.
Don’t get me wrong, I 100% agree. The business wants Citrix gone, but don’t wish to invest into laptops in the short term, so in left trying to justify how we secure home devices, something I’m 100% against myself
Mostly cloud resources, Sharepoint etc., but the data is sensitive so wanting to lock it down behind conditional access, so it would likely be a VPN connection only if the device is compliant in MDM with access to a RDS server
I really think the answer is laptops, but it’s finding a way to convince the board that they need to replace there 1 yr old desktops.
Okay, people can no longer have any admin rights to their local PC, this includes having access to a local admin account, no other family members can use the device, the device is managed by the company and restrictive policies will be enforced limiting and tracking what they are doing, all non-corporate apps and data will be removed, AV and management agents will be pushed out. Updates will be enforced.
Without doing this the environment is not secure.
If Bob bought a 10 year old used laptop that’s running Windows XP I guess you have to deal with that too?
What they are asking is possible but no one will like it. Their requirements are not based in reality. Either they provide a managed and secure virtual desktop or they provide a managed and secured laptop/desktop.
Your current client devices have a built in browser? Some SASE suppliers offer clientless access via a browser for RDP. You can use browser to RDP to your RDS environment and access resources as needed without Citrix.
If you can go the agent model, then you have more secure access options.
Cato Networks, amongst others, has a client and clientless option.
Thanks for the recommendation, I’ll take a look. SASE seems to be the way to achieve it, but when I quoted it was ballpark a 2k a month investment. I guess the argument though is you way 2k a month opex for a solution that does what we need it to, or invest in mobile endpoints
I don’t know your entire scope, but for 100 named users and probably a 100Mbps datacenter Full HA SD-WAN onramp (for access to private apps/resources if it’s needed), Cato would likely be around half that number.
If you add in full app security (CASB/DLP) and inline threat prevention (IPS, NGAM, DNS Security, etc.) on top (which I wouldn’t assume is part of your existing Citrix deployment or budget)…then 2k/mo is probably plenty of budget. You might still come in under the 2k/month, though. Cato is pretty reasonably priced.